hixie: Mention the danger of allow-scripts+allow-same-origin on same-origin iframes. (whatwg r4579)

hixie: Mention the danger of allow-scripts+allow-same-origin on same-
origin iframes. (whatwg r4579)

http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.3654&r2=1.3655&f=h
http://html5.org/tools/web-apps-tracker?from=4578&to=4579

===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.3654
retrieving revision 1.3655
diff -u -d -r1.3654 -r1.3655
--- Overview.html 12 Jan 2010 02:47:05 -0000 1.3654
+++ Overview.html 12 Jan 2010 02:56:25 -0000 1.3655
@@ -16846,10 +16846,14 @@
   prevented from targeting other <a href="#browsing-context" title="browsing
   context">browsing contexts</a>, and plugins are disabled. The
   <code title="attr-iframe-sandbox-allow-same-origin"><a href="#attr-iframe-sandbox-allow-same-origin">allow-same-origin</a></code>
-  token allows the content to be treated as being from the same origin
+  keyword allows the content to be treated as being from the same origin
   instead of forcing it into a unique origin, and the <code title="attr-iframe-sandbox-allow-forms"><a href="#attr-iframe-sandbox-allow-forms">allow-forms</a></code> and <code title="attr-iframe-sandbox-allow-scripts"><a href="#attr-iframe-sandbox-allow-scripts">allow-scripts</a></code>
-  tokens re-enable forms and scripts respectively (though scripts are
-  still prevented from creating popups).<div class="impl">
+  keywords re-enable forms and scripts respectively (though scripts are
+  still prevented from creating popups).<p class="warning">Setting both the <code title="attr-iframe-sandbox-allow-scripts"><a href="#attr-iframe-sandbox-allow-scripts">allow-scripts</a></code> and
+  <code title="attr-iframe-sandbox-allow-same-origin"><a href="#attr-iframe-sandbox-allow-same-origin">allow-same-origin</a></code>
+  keywords together when the embedded page has the <a href="#same-origin">same
+  origin</a> as the page containing the <code><a href="#the-iframe-element">iframe</a></code> allows
+  the embedded page to simply remove the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute.<div class="impl">
 
   <!-- v2: Add a new attribute that enables new restrictions, e.g.:
        - disallow cross-origin loads of any kind (networking

Received on Tuesday, 12 January 2010 02:57:04 UTC