[whatwg] iframes, more sandbox

Chris Coyier chriscoyier at gmail.com
Thu Feb 6 07:54:34 PST 2014

Hey folks. Long time listener, first time caller.

I'm hoping for more a little bit more control over <iframe>s. We have
<iframe sandbox> which is pretty fantastic right now. I'd like to see some
possibilities in both directions (more and less strict).

More strict:
 - Disallow modal dialogs (e.g. alert, confirm) but otherwise allowing
scripts via allow-scripts
 - Also dialogs like when a page or resource is .htpasswd protected
 - Do not make sound, period. Autoplay is already disabled in sandbox, but
can be circumvented (e.g. by creating new audio element that autoplays,
apis that create iframes (soundcloud, vimeo) that then play).
 - Cannot contain another iframe
 - Essentially lower the risk-of-annoyance of an <iframe>

Less strict:
 - Allow some safe version of target="_blank" links

Right now the model for sandbox is "as strict as possible by default" then
loosen restrictions with attribute values. So I'm not sure how this could
be approached, since it feels like it would be weird to all the sudden make
the sandbox attribute more strict than it was before and it also seems
weird to have some attributes that strengthen strictness and some
attributes that loosen it.

Mike West from Google suggested I take this conversation here. Thanks Mike!

Chris Coyier

More information about the whatwg mailing list