After reading some of the spec text for the sandbox attribute, I have a few suggestions: I believe showModalDialog() should also be blocked by the sandboxed navigation browsing context flag [1]. It looks like Chrome already does this and it seems straight forward that it should be treated similarly to window.open(). http://www.w3.org/Bugs/Public/show_bug.cgi?id=12391 Also, I think the behavior for links with target attributes could be better defined for each of its possible values: http://www.w3.org/Bugs/Public/show_bug.cgi?id=12392 Finally, it'd be nice if there was also an "allow-popups" token for the sandbox attribute. When set, window.open(), showModalDialog(), and links with target="_blank" would be allowed. However, the newly created browsing contexts should inherit the sandbox restrictions of the context from which the popup was created. http://www.w3.org/Bugs/Public/show_bug.cgi?id=12393 --Jacob Rossi
Received on Tuesday, 29 March 2011 07:15:22 UTC