- From: Ian Hickson via cvs-syncmail <cvsmail@w3.org>
- Date: Tue, 12 Jan 2010 02:56:28 +0000
- To: public-html-commits@w3.org
Update of /sources/public/html5/spec In directory hutz:/tmp/cvs-serv9181 Modified Files: Overview.html Log Message: Mention the danger of allow-scripts+allow-same-origin on same-origin iframes. (whatwg r4579) Index: Overview.html =================================================================== RCS file: /sources/public/html5/spec/Overview.html,v retrieving revision 1.3654 retrieving revision 1.3655 diff -u -d -r1.3654 -r1.3655 --- Overview.html 12 Jan 2010 02:47:05 -0000 1.3654 +++ Overview.html 12 Jan 2010 02:56:25 -0000 1.3655 @@ -16846,10 +16846,14 @@ prevented from targeting other <a href="#browsing-context" title="browsing context">browsing contexts</a>, and plugins are disabled. The <code title="attr-iframe-sandbox-allow-same-origin"><a href="#attr-iframe-sandbox-allow-same-origin">allow-same-origin</a></code> - token allows the content to be treated as being from the same origin + keyword allows the content to be treated as being from the same origin instead of forcing it into a unique origin, and the <code title="attr-iframe-sandbox-allow-forms"><a href="#attr-iframe-sandbox-allow-forms">allow-forms</a></code> and <code title="attr-iframe-sandbox-allow-scripts"><a href="#attr-iframe-sandbox-allow-scripts">allow-scripts</a></code> - tokens re-enable forms and scripts respectively (though scripts are - still prevented from creating popups).<div class="impl"> + keywords re-enable forms and scripts respectively (though scripts are + still prevented from creating popups).<p class="warning">Setting both the <code title="attr-iframe-sandbox-allow-scripts"><a href="#attr-iframe-sandbox-allow-scripts">allow-scripts</a></code> and + <code title="attr-iframe-sandbox-allow-same-origin"><a href="#attr-iframe-sandbox-allow-same-origin">allow-same-origin</a></code> + keywords together when the embedded page has the <a href="#same-origin">same + origin</a> as the page containing the <code><a href="#the-iframe-element">iframe</a></code> allows + the embedded page to simply remove the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute.<div class="impl"> <!-- v2: Add a new attribute that enables new restrictions, e.g.: - disallow cross-origin loads of any kind (networking
Received on Tuesday, 12 January 2010 02:56:30 UTC