html5/spec Overview.html,1.3654,1.3655 from Ian Hickson via cvs-syncmail on 2010-01-12 (public-html-commits@w3.org from January 2010)

From: Ian Hickson via cvs-syncmail <cvsmail@w3.org>
Date: Tue, 12 Jan 2010 02:56:28 +0000
To: public-html-commits@w3.org
Message-Id: <E1NUWvk-0002OS-QZ@lionel-hutz.w3.org>

Update of /sources/public/html5/spec
In directory hutz:/tmp/cvs-serv9181

Modified Files:
	Overview.html 
Log Message:
Mention the danger of allow-scripts+allow-same-origin on same-origin iframes. (whatwg r4579)

Index: Overview.html
===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.3654
retrieving revision 1.3655
diff -u -d -r1.3654 -r1.3655
--- Overview.html	12 Jan 2010 02:47:05 -0000	1.3654
+++ Overview.html	12 Jan 2010 02:56:25 -0000	1.3655
@@ -16846,10 +16846,14 @@
   prevented from targeting other <a href="#browsing-context" title="browsing
   context">browsing contexts</a>, and plugins are disabled. The
   <code title="attr-iframe-sandbox-allow-same-origin"><a href="#attr-iframe-sandbox-allow-same-origin">allow-same-origin</a></code>
-  token allows the content to be treated as being from the same origin
+  keyword allows the content to be treated as being from the same origin
   instead of forcing it into a unique origin, and the <code title="attr-iframe-sandbox-allow-forms"><a href="#attr-iframe-sandbox-allow-forms">allow-forms</a></code> and <code title="attr-iframe-sandbox-allow-scripts"><a href="#attr-iframe-sandbox-allow-scripts">allow-scripts</a></code>
-  tokens re-enable forms and scripts respectively (though scripts are
-  still prevented from creating popups).<div class="impl">
+  keywords re-enable forms and scripts respectively (though scripts are
+  still prevented from creating popups).<p class="warning">Setting both the <code title="attr-iframe-sandbox-allow-scripts"><a href="#attr-iframe-sandbox-allow-scripts">allow-scripts</a></code> and
+  <code title="attr-iframe-sandbox-allow-same-origin"><a href="#attr-iframe-sandbox-allow-same-origin">allow-same-origin</a></code>
+  keywords together when the embedded page has the <a href="#same-origin">same
+  origin</a> as the page containing the <code><a href="#the-iframe-element">iframe</a></code> allows
+  the embedded page to simply remove the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute.<div class="impl">
 
   <!-- v2: Add a new attribute that enables new restrictions, e.g.:
        - disallow cross-origin loads of any kind (networking

Received on Tuesday, 12 January 2010 02:56:30 UTC