[whatwg] Comments on @sandbox
ian at hixie.ch
Mon Jan 11 18:45:21 PST 2010
On Tue, 12 Jan 2010, Ian Hickson wrote:
> On Thu, 5 Nov 2009, Adam Barth wrote:
> > == allow-same-origin + allow-script ==
> > It's clear that adding both allow-same-origin and allow-script to
> > @sandbox at the same time make the sandbox useless because the
> > sandboxed content can simply reach outside the frame and remove the
> > sandbox attribute. Should we disallow setting these values at the
> > same time? If an author does set both, maybe we should only pay
> > attention to one?
> Done. allow-same-origin now overrides allow-scripts.
Er, sorry. That was a momentary lapse of attention. I've reverted this
allow-same-origin and allow-scripts can be usefully set together when the
origin of the embedded page is not the same as the origin of the embedding
page. I'll add a warning about it being somewhat pointless to use them
together in same-origin cases, though.
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg