W3C home > Mailing lists > Public > whatwg@whatwg.org > April 2012

[whatwg] Confirming understanding about window.location's interaction with sandboxed seamless iframes

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 11 Apr 2012 23:39:32 -0700
Message-ID: <CAJE5ia_LSQY1GUqpo5Jp+jUYWt05+77Z46RLbZZUM986CXr6tg@mail.gmail.com>
On Wed, Apr 11, 2012 at 11:35 PM, Ian Hickson <ian at hixie.ch> wrote:
> On Wed, 11 Apr 2012, Adam Barth wrote:
>>
>> We ran into a tricky case in implementing seamless today, and I'd like
>> to make sure we did the right thing. ?Consider the following markup:
>>
>> <iframe seamless srcdoc="<script>window.location =
>> 'http://example.com/';</script>"></iframe>
>>
>> According to the rules for navigating seamless iframes, when the child
>> frame assigns to window.location, the browser will navigate the parent
>> frame. ?Now, what happens if you add in sandbox:
>>
>> <iframe seamless sandbox="allow-scripts"
>> srcdoc="<script>window.location =
>> 'http://example.com/';</script>"></iframe>
>>
>> In this case, navigating the parent is blocked because the sandbox
>> prevents the child from navigating it's parent.
>
> The blocking happens in step 2, which is before the seamless redirection
> which is in step 3, so in this case it's not blocked.

On #whatwg, Hixie pointed me to this table:

http://www.whatwg.org/specs/web-apps/current-work/#browsing-context-names

which looks quite helpful.

Thanks!
Adam
Received on Wednesday, 11 April 2012 23:39:32 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:07 GMT