[whatwg] Cross-origin iframe and @sandbox=allow-same-origin

Ian Hickson ian at hixie.ch
Mon Feb 25 10:10:32 PST 2013

On Mon, 25 Feb 2013, David Bruant wrote:
> The current description of the allow-same-origin sandbox token in the 
> spec is: " The allow-same-origin keyword allows the content to be 
> treated as being from the same origin instead of forcing it into a 
> unique origin;"
> This is a very scary wording.

True. Note though that it's non-normative, so it doesn't affect 
implementors at all. (There's no "MUST" requirement and no "IS" 
definition, so it's just describing what's going on, not requiring 
anything or defining anything.)

I've made the wording less scary though.

> Also, in some notes [1], I can read:
> "Second, [allow-same-origin] can be used to embed content from a third-party
> site, sandboxed to prevent that site from opening pop-up windows, etc, without
> preventing the embedded page from communicating back to its originating site,
> using the database APIs to store data, etc."
> I fail to understand what is specific about allow-same-origin that 
> allows that without adding also allow-scripts or allow-forms.

If you don't have allow-same-origin, the content ends up in a unique 
origin, not its "real" origin.

> As a more general question: does iframe at sandbox="allow-same-origin" make a
> page and a cross-origin iframe further connected than they are currently
> without the keyword?

The only difference is that without the keyword, the content is in a 
unique origin, and with it, its origin is left as normal.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list