W3C home > Mailing lists > Public > public-html-testsuite@w3.org > October 2012

RE: sandbox_002.htm needs "allow-same-origin" flag to load media.js script in the sandboxed iframe

From: Kris Krueger <krisk@microsoft.com>
Date: Tue, 9 Oct 2012 00:03:48 +0000
To: "Zhang, Zhiqiang" <zhiqiang.zhang@intel.com>, "public-html-testsuite@w3.org" <public-html-testsuite@w3.org>
CC: "Santos, Thiago" <thiago.santos@intel.com>
Message-ID: <0A605FCDA3A4DC45A98B0DDD1C5351A70380FBDA@TK5EX14MBXW601.wingroup.windeploy.ntdev.microsoft.com>
Thanks for the feedback - 

If you have other feedback on the 'sandbox' tests that would be great!

http://www.w3c-test.org/html/tests/submission/Microsoft/sandbox/sandbox_001.htm -> sandbox_0032.htm

>Hi Kris,
>
>http://w3c-test.org/html/tests/submission/Microsoft/sandbox/sandbox_002.htm

>
>I think it needs "allow-same-origin" flag to load media.js script in the sandboxed iframe, what do you think?
>
>-    <iframe src="support/iframe_sandbox_002.htm" sandbox="allow-scripts" style="display: none"></iframe>
>+    <iframe src="support/iframe_sandbox_002.htm" sandbox="allow-scripts allow-same-origin" style="display: none"></iframe>
>
>Thanks,
>Zhiqiang
I
 believe the test is correct a few points and spec references.

#1 You don't want an author to set both attributes (allow-scripts allow-same-origin) since this enables the <iframe> to remove the sandbox attribute!
#2 Once script is enabled (allow-scripts) you can just call play() on the element

See ->  http://www.w3.org/TR/2012/WD-html5-20120329/the-iframe-element.html#attr-iframe-sandbox


"‚ö†Warning! Setting both the allow-scripts and allow-same-origin keywords together when the embedded page has the same origin as the page containing the iframe allows the embedded page to simply remove the sandbox attribute."

"The sandboxed automatic features browsing context flag, unless the sandbox attribute's value, when split on spaces, is found to have the allow-scripts keyword (defined above) set
This flag blocks features that trigger automatically, such as automatically playing a video or automatically focusing a form control. It is relaxed by the same flag as scripts, because when scripts are enabled these features are trivially possible anyway, and it would be unfortunate to force authors to use script to do them when sandboxed rather than allowing them to use the declarative features."

-----Original Message-----
From: Zhang, Zhiqiang [mailto:zhiqiang.zhang@intel.com] 
Sent: Sunday, October 7, 2012 8:27 PM
To: Kris Krueger; public-html-testsuite@w3.org
Cc: Santos, Thiago
Subject: sandbox_002.htm needs "allow-same-origin" flag to load media.js script in the sandboxed iframe

Hi Kris,

http://w3c-test.org/html/tests/submission/Microsoft/sandbox/sandbox_002.htm


I think it needs "allow-same-origin" flag to load media.js script in the sandboxed iframe, what do you think?

-    <iframe src="support/iframe_sandbox_002.htm" sandbox="allow-scripts" style="display: none"></iframe>
+    <iframe src="support/iframe_sandbox_002.htm" sandbox="allow-scripts allow-same-origin" style="display: none"></iframe>

Thanks,
Zhiqiang


Received on Tuesday, 9 October 2012 00:04:20 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 9 October 2012 00:04:20 GMT