[whatwg] Modifying iframe sandbox attributes

Ian Melven imelven at mozilla.com
Tue Apr 23 10:18:29 PDT 2013


see http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-iframe-sandbox

specifically "These flags only take effect when the nested browsing context of the iframe is navigated. Removing them, or removing the entire sandbox attribute, has no effect on an already-loaded page."

you need to navigate the sandboxed iframe for the new flags to take effect. 

thanks,
ian


----- Original Message -----
From: "Tim Streater" <tim at clothears.org.uk>
To: "WhatWG List" <whatwg at lists.whatwg.org>
Sent: Monday, April 22, 2013 10:26:00 AM
Subject: [whatwg] Modifying iframe sandbox attributes

I need to add/remove the allow-scripts attribute to/from an iframe sandbox, since I use one frame for two purposes (sometimes with untrusted content, other times with my own content that uses JavaScript). I've tried the following:

iframePtr.sandbox = "allow-popups allow-same-origin allow-scripts";

and:

iframePtr.sandbox = "allow-popups allow-same-origin";

This doesn't appear to work in Safari 6.0.4. Is this the right syntax? Is such a possibility even implemented yet.

--
Cheers  --  Tim



More information about the whatwg mailing list