W3C home > Mailing lists > Public > whatwg@whatwg.org > April 2012

[whatwg] Confirming understanding about window.location's interaction with sandboxed seamless iframes

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 12 Apr 2012 06:35:36 +0000 (UTC)
Message-ID: <Pine.LNX.4.64.1204120634520.22654@ps20323.dreamhostps.com>
On Wed, 11 Apr 2012, Adam Barth wrote:
>
> We ran into a tricky case in implementing seamless today, and I'd like
> to make sure we did the right thing.  Consider the following markup:
> 
> <iframe seamless srcdoc="<script>window.location =
> 'http://example.com/';</script>"></iframe>
> 
> According to the rules for navigating seamless iframes, when the child
> frame assigns to window.location, the browser will navigate the parent
> frame.  Now, what happens if you add in sandbox:
> 
> <iframe seamless sandbox="allow-scripts"
> srcdoc="<script>window.location =
> 'http://example.com/';</script>"></iframe>
> 
> In this case, navigating the parent is blocked because the sandbox 
> prevents the child from navigating it's parent.

The blocking happens in step 2, which is before the seamless redirection 
which is in step 3, so in this case it's not blocked.

HTH,
-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 11 April 2012 23:35:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:07 GMT