[whatwg] Confirming understanding about window.location's interaction with sandboxed seamless iframes
Adam Barth
w3c at adambarth.com
Wed Apr 11 23:18:25 PDT 2012
We ran into a tricky case in implementing seamless today, and I'd like
to make sure we did the right thing. Consider the following markup:
<iframe seamless srcdoc="<script>window.location =
'http://example.com/';</script>"></iframe>
According to the rules for navigating seamless iframes, when the child
frame assigns to window.location, the browser will navigate the parent
frame. Now, what happens if you add in sandbox:
<iframe seamless sandbox="allow-scripts"
srcdoc="<script>window.location =
'http://example.com/';</script>"></iframe>
In this case, navigating the parent is blocked because the sandbox
prevents the child from navigating it's parent. Therefore, the
navigation just fails. There's a full test case up on GitHub if
that's helpful to you:
https://github.com/eseidel/webkit/blob/seamless/LayoutTests/fast/frames/seamless/seamless-window-location-sandbox.html
Please let us know if we've misunderstood the interactions between
these three features.
Thanks!
Adam
More information about the whatwg
mailing list