W3C home > Mailing lists > Public > whatwg@whatwg.org > February 2013

[whatwg] Cross-origin iframe and @sandbox=allow-same-origin

From: David Bruant <bruant.d@gmail.com>
Date: Mon, 25 Feb 2013 09:41:23 +0100
Message-ID: <512B23B3.10203@gmail.com>
To: whatwg <whatwg@whatwg.org>

The current description of the allow-same-origin sandbox token in the 
spec is:
" The allow-same-origin keyword allows the content to be treated as 
being from the same origin instead of forcing it into a unique origin;"

This is a very scary wording. Understood naively, I understand I could 
host a page in the "davidbruant.github.com" domain with an iframe to 
anywhere (pick your favorite social network/email client website), add 
@sandbox="allow-same-origin" and suddenly, I'd be able to look at the 
content (since the iframe would be treated as being from the same origin).

Obviously, that's not how it works (I say "obviously", because browser 
vendors would have not implemented what I just described. If they had, 
the world might have collapsed quickly).
 From what I've tested both in Firefox and Chrome, when I have an iframe 
from a different domain, I can get the contentDocument, but it looks 
like about:blank from what I can observe in the container. Where is this 
behavior described?

Also, in some notes [1], I can read:
"Second, [allow-same-origin] can be used to embed content from a 
third-party site, sandboxed to prevent that site from opening pop-up 
windows, etc, without preventing the embedded page from communicating 
back to its originating site, using the database APIs to store data, etc."

I fail to understand what is specific about allow-same-origin that 
allows that without adding also allow-scripts or allow-forms.

As a more general question: does iframe@sandbox="allow-same-origin" make 
a page and a cross-origin iframe further connected than they are 
currently without the keyword?



Received on Monday, 25 February 2013 08:41:54 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:20 UTC