[whatwg] iframe sandbox attribute

Mounir Lamouri mounir at lamouri.fr
Mon Mar 26 15:13:05 PDT 2012

On 03/26/2012 02:37 PM, Ian Melven wrote:
> While working on implementing HTML5's iframe sandbox, I realized that in script, one can't
> tell the difference between these two cases : <iframe> and <iframe sandbox = ''>.
> In both cases, iframe.sandbox will be '' (the empty string). This is
> true in Webkit and IE10's implementations, as far as my testing can tell (and
> in my work-in-progress implementation for Firefox also). 

element.hasAttribute('sandbox') should return false for the former case
and true for the later.

> There's also no way to clear sandboxing from an <iframe> without using something along
> the lines of .removeAttribute.

If you want to remove the sandbox attribute, isn't removeAttribute the
best way to do that?

> Due to this and some sentiment expressed by others at Mozilla against PutForwards
> (the HTML5 spec specifies [PutForwards=value] on <iframe>'s sandbox attribute, which is 
> defined as a DOMSettableTokenList), I would like to propose a possible modification
> to the spec : changing <iframe> sandbox to be |string? sandbox| instead of a DOMSettableTokenList.

I do not like [PutForwards=value] but I still believe
DOMSettableTokenList is useful.


More information about the whatwg mailing list