W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > November 2011

[Bug 12393] Add "allow-popups" for iframe@sandbox

From: <bugzilla@jessica.w3.org>
Date: Thu, 10 Nov 2011 01:22:20 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1ROJLQ-0007jZ-21@jessica.w3.org>
http://www.w3.org/Bugs/Public/show_bug.cgi?id=12393

--- Comment #12 from Jacob Rossi [MSFT] <jrossi@microsoft.com> 2011-11-10 01:22:18 UTC ---
(In reply to comment #11)
> Another subtly is whether the sandbox flags get applied to the main frame of
> the popup or to the document (i.e., whether subsequent documents that inhabit
> the frame are sandboxed).  WebKit applies the sandbox bits to the frame so that
> future documents in that frame also are sandboxed.
> 
> If the user navigates via the browser's location bar, the bits a cleared
> because the new document is loaded into a "new" frame.

IE10 follows a similar design.  Navigations from within the page with CSP
(clicking a link, window.location=foo, window.open(foo,"_self"), etc.)  persist
the restrictions.  However, if the user navigates with the address bar then the
sandbox bits are cleared.

Child frames within a document with a CSP sandbox header also inherit those
restrictions (in the same way a child frame of a sandboxed iframe inherit
sandbox flags per HTML5).

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Thursday, 10 November 2011 01:22:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 10 November 2011 01:22:39 GMT