[whatwg] iframe sandbox attribute

Ian Melven imelven at mozilla.com
Fri Mar 30 12:22:36 PDT 2012 

I agree that it's pretty likely folks won't be mutating
this property very often - the HTML5 spec actually
recommends against messing with the sandbox attribute dynamically at all :

"Generally speaking, dynamically removing or changing the sandbox attribute is ill-advised, 
because it can make it quite hard to reason about what will be allowed and what will not."
(which I also agree with. )

that said, what do you think about the case Boris points out where
myFrame.sandbox = myFrame.sandbox; can change the sandboxing
of a frame ? 

In my opinion, both this and the case involving myOtherFrame.sandbox = myFrame.sandbox;
are pretty non-intuitive - unless as Boris suggests, .sandbox is null for an iframe which
hasn't had a sandbox attribute declared. A script author could use .present
or .hasAttribute to work around this, but my concern is the potentially
surprising behavior. 

thanks,
ian


----- Original Message -----
From: "Adam Barth" <w3c at adambarth.com>
To: "Boris Zbarsky" <bzbarsky at mit.edu>
Cc: whatwg at lists.whatwg.org
Sent: Thursday, March 29, 2012 2:17:42 PM
Subject: Re: [whatwg] iframe sandbox attribute

I guess I don't see much value in using DOMSettableTokenList for the
sandbox property.  I don't expect folks to mutate the property much.
They're just likely to set it to a constant and be done with it.  The
situation is very different for a property like className, where
there's a strong use case for mutating.

Adam


On Mon, Mar 26, 2012 at 4:06 PM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> On 3/26/12 3:19 PM, Ian Hickson wrote:
>>
>> Changing it to a string doesn't affect that, though, does it?
>
>
> Well, changing to a nullable string does affect it because doing something
> like this:
>
>  myFrame.sandbox = myFrame.sandbox;
>
> is a no-op, as by all sane rights it should be....  More importantly,
>
>  myOtherFrame.sandbox = myFrame.sandbox;
>
> doesn't have weird surprising behavior if the attribute is something whose
> value sanely distinguishes between the various possible sandbox values.
>
>
>> We can certainly add an attribute to DOMSettableTokenList (or rather, a
>> descendant, for use specifically with iframe.sandbox) that does the same
>> as .hasAttribute(), e.g.:
>>
>>    iframe.sandbox.present
>>
>> ...or something, if that would help.
>
>
> Would we also make the attribute readonly, then, and require that it be set
> via the token list?  Otherwise, it seems like the snippets above would still
> have pretty unexpected behavior.  But even then they might, since sets of
> readonly props are just silently ignored.  :(
>
> -Boris

More information about the whatwg mailing list