[whatwg] Comments on @sandbox

Ian Hickson ian at hixie.ch
Mon Jan 11 18:45:21 PST 2010


On Tue, 12 Jan 2010, Ian Hickson wrote:
>
> On Thu, 5 Nov 2009, Adam Barth wrote:
> > 
> > == allow-same-origin + allow-script ==
> > 
> > It's clear that adding both allow-same-origin and allow-script to 
> > @sandbox at the same time make the sandbox useless because the 
> > sandboxed content can simply reach outside the frame and remove the 
> > sandbox attribute.  Should we disallow setting these values at the 
> > same time?  If an author does set both, maybe we should only pay 
> > attention to one?
>
> Done. allow-same-origin now overrides allow-scripts.

Er, sorry. That was a momentary lapse of attention. I've reverted this 
change.

allow-same-origin and allow-scripts can be usefully set together when the 
origin of the embedded page is not the same as the origin of the embedding 
page. I'll add a warning about it being somewhat pointless to use them 
together in same-origin cases, though.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'



More information about the whatwg mailing list