[whatwg] iframe sandbox attribute

Ian Hickson ian at hixie.ch
Mon Mar 26 15:19:32 PDT 2012


On Mon, 26 Mar 2012, Boris Zbarsky wrote:
> On 3/26/12 3:13 PM, Mounir Lamouri wrote:
> > I do not like [PutForwards=value] but I still believe
> > DOMSettableTokenList is useful.
> 
> I think the issue in this case is that the DOMSettableTokenList 
> representation of the sandbox attribute, as specced, cannot distinguish 
> between "not sandboxed at all" and "sandboxed, with no loosening of any 
> restrictions".
> 
> That makes it very difficult to use, in my opinion.  Very easy to shoot 
> yourself in the foot.

Changing it to a string doesn't affect that, though, does it?

We can certainly add an attribute to DOMSettableTokenList (or rather, a 
descendant, for use specifically with iframe.sandbox) that does the same 
as .hasAttribute(), e.g.:

   iframe.sandbox.present

...or something, if that would help.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'


More information about the whatwg mailing list