[whatwg] Cross-origin iframe and @sandbox=allow-same-origin

David Bruant bruant.d at gmail.com
Mon Feb 25 00:41:23 PST 2013


The current description of the allow-same-origin sandbox token in the 
spec is:
" The allow-same-origin keyword allows the content to be treated as 
being from the same origin instead of forcing it into a unique origin;"

This is a very scary wording. Understood naively, I understand I could 
host a page in the "davidbruant.github.com" domain with an iframe to 
anywhere (pick your favorite social network/email client website), add 
@sandbox="allow-same-origin" and suddenly, I'd be able to look at the 
content (since the iframe would be treated as being from the same origin).

Obviously, that's not how it works (I say "obviously", because browser 
vendors would have not implemented what I just described. If they had, 
the world might have collapsed quickly).
 From what I've tested both in Firefox and Chrome, when I have an iframe 
from a different domain, I can get the contentDocument, but it looks 
like about:blank from what I can observe in the container. Where is this 
behavior described?

Also, in some notes [1], I can read:
"Second, [allow-same-origin] can be used to embed content from a 
third-party site, sandboxed to prevent that site from opening pop-up 
windows, etc, without preventing the embedded page from communicating 
back to its originating site, using the database APIs to store data, etc."

I fail to understand what is specific about allow-same-origin that 
allows that without adding also allow-scripts or allow-forms.

As a more general question: does iframe at sandbox="allow-same-origin" make 
a page and a cross-origin iframe further connected than they are 
currently without the keyword?




More information about the whatwg mailing list