[whatwg] Cross-origin iframe and @sandbox=allow-same-origin
David Bruant
bruant.d at gmail.com
Mon Feb 25 00:41:23 PST 2013
Hi,
The current description of the allow-same-origin sandbox token in the
spec is:
" The allow-same-origin keyword allows the content to be treated as
being from the same origin instead of forcing it into a unique origin;"
This is a very scary wording. Understood naively, I understand I could
host a page in the "davidbruant.github.com" domain with an iframe to
anywhere (pick your favorite social network/email client website), add
@sandbox="allow-same-origin" and suddenly, I'd be able to look at the
content (since the iframe would be treated as being from the same origin).
Obviously, that's not how it works (I say "obviously", because browser
vendors would have not implemented what I just described. If they had,
the world might have collapsed quickly).
From what I've tested both in Firefox and Chrome, when I have an iframe
from a different domain, I can get the contentDocument, but it looks
like about:blank from what I can observe in the container. Where is this
behavior described?
Also, in some notes [1], I can read:
"Second, [allow-same-origin] can be used to embed content from a
third-party site, sandboxed to prevent that site from opening pop-up
windows, etc, without preventing the embedded page from communicating
back to its originating site, using the database APIs to store data, etc."
I fail to understand what is specific about allow-same-origin that
allows that without adding also allow-scripts or allow-forms.
As a more general question: does iframe at sandbox="allow-same-origin" make
a page and a cross-origin iframe further connected than they are
currently without the keyword?
Thanks,
David
[1]
http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#attr-iframe-sandbox-allow-same-origin
More information about the whatwg
mailing list