[whatwg] iframe sandbox attribute

Ian Melven imelven at mozilla.com
Mon Mar 26 14:37:41 PDT 2012


While working on implementing HTML5's iframe sandbox, I realized that in script, one can't
tell the difference between these two cases : <iframe> and <iframe sandbox = ''>.

In both cases, iframe.sandbox will be '' (the empty string). This is
true in Webkit and IE10's implementations, as far as my testing can tell (and
in my work-in-progress implementation for Firefox also). 

There's also no way to clear sandboxing from an <iframe> without using something along
the lines of .removeAttribute.

Due to this and some sentiment expressed by others at Mozilla against PutForwards
(the HTML5 spec specifies [PutForwards=value] on <iframe>'s sandbox attribute, which is 
defined as a DOMSettableTokenList), I would like to propose a possible modification
to the spec : changing <iframe> sandbox to be |string? sandbox| instead of a DOMSettableTokenList.

It is my understanding that this matches what Webkit has implemented. Additionally, 
sandbox = null would mean there is no sandbox attribute (i.e. <iframe>) and sandbox = '' would
mean the iframe is fully sandboxed with no permissions granted (ie. <iframe sandbox=''>).

This allows script to tell if an iframe is actually sandboxed or not (well, if it's intended to be
sandboxed or not, to be exact, since changing flags doesn't take affect immediately, per the 
HTML5 spec), allows adding and removing sandboxing via the attribute itself, and avoids the need for
a PutForwards.

Comments and feedback are very welcome !

thank you,

More information about the whatwg mailing list