[whatwg] Confirming understanding about window.location's interaction with sandboxed seamless iframes
Adam Barth
w3c at adambarth.com
Wed Apr 11 23:39:32 PDT 2012
On Wed, Apr 11, 2012 at 11:35 PM, Ian Hickson <ian at hixie.ch> wrote:
> On Wed, 11 Apr 2012, Adam Barth wrote:
>>
>> We ran into a tricky case in implementing seamless today, and I'd like
>> to make sure we did the right thing. Consider the following markup:
>>
>> <iframe seamless srcdoc="<script>window.location =
>> 'http://example.com/';</script>"></iframe>
>>
>> According to the rules for navigating seamless iframes, when the child
>> frame assigns to window.location, the browser will navigate the parent
>> frame. Now, what happens if you add in sandbox:
>>
>> <iframe seamless sandbox="allow-scripts"
>> srcdoc="<script>window.location =
>> 'http://example.com/';</script>"></iframe>
>>
>> In this case, navigating the parent is blocked because the sandbox
>> prevents the child from navigating it's parent.
>
> The blocking happens in step 2, which is before the seamless redirection
> which is in step 3, so in this case it's not blocked.
On #whatwg, Hixie pointed me to this table:
http://www.whatwg.org/specs/web-apps/current-work/#browsing-context-names
which looks quite helpful.
Thanks!
Adam
More information about the whatwg
mailing list