W3C home > Mailing lists > Public > public-html-ig-zh@w3.org > September 2010

谈谈iframe sandbox

From: Zi Bin Cheah <zibin@opera.com>
Date: Thu, 30 Sep 2010 00:50:51 +0200
Message-Id: <6442E966-5B75-4121-B7A3-42C2D13BB9C9@opera.com>
To: public-html-ig-zh@w3.org
iframe很多网站都在用,虽然方便,不过却存在安全问 
题。

whatwg提出了sandbox沙盒属性,目的在于监控跨域和脚本 
启动。sandbox值有allow-same-origin, allow-forms, 和 allow- 
scripts。如果只是单纯的sandbox属性没有值,那就是实行 
最大限制,这样iframe内容属于不同域,不能实行脚本和 
表单。

比方如果sandbox="allow-same-origin, allow-script" 那就表示iframe 
和母页可以互相抓取DOM(我猜),同时也让iframe可以执 
行脚本。


Regards,

Zi Bin Cheah / 谢子斌

Web Evangelist
/ Developer Relations / Site Compatibility / Products Group /

Opera Software ASA, Oslo, Norway
+ 47 23 69 25 81 / twitter: zibin











Received on Wednesday, 29 September 2010 22:52:40 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:43:45 UTC