RE: sandbox_002.htm needs "allow-same-origin" flag to load media.js script in the sandboxed iframe from Kris Krueger on 2012-10-09 (public-html-testsuite@w3.org from October 2012)

From: Kris Krueger <krisk@microsoft.com>
Date: Tue, 9 Oct 2012 00:03:48 +0000
To: "Zhang, Zhiqiang" <zhiqiang.zhang@intel.com>, "public-html-testsuite@w3.org" <public-html-testsuite@w3.org>
CC: "Santos, Thiago" <thiago.santos@intel.com>
Message-ID: <0A605FCDA3A4DC45A98B0DDD1C5351A70380FBDA@TK5EX14MBXW601.wingroup.windeploy.ntde>

Thanks for the feedback - 

If you have other feedback on the 'sandbox' tests that would be great!

http://www.w3c-test.org/html/tests/submission/Microsoft/sandbox/sandbox_001.htm -> sandbox_0032.htm

>Hi Kris,
>
>http://w3c-test.org/html/tests/submission/Microsoft/sandbox/sandbox_002.htm

>
>I think it needs "allow-same-origin" flag to load media.js script in the sandboxed iframe, what do you think?
>
>-    <iframe src="support/iframe_sandbox_002.htm" sandbox="allow-scripts" style="display: none"></iframe>
>+    <iframe src="support/iframe_sandbox_002.htm" sandbox="allow-scripts allow-same-origin" style="display: none"></iframe>
>
>Thanks,
>Zhiqiang
I
 believe the test is correct a few points and spec references.

#1 You don't want an author to set both attributes (allow-scripts allow-same-origin) since this enables the <iframe> to remove the sandbox attribute!
#2 Once script is enabled (allow-scripts) you can just call play() on the element

See ->  http://www.w3.org/TR/2012/WD-html5-20120329/the-iframe-element.html#attr-iframe-sandbox


"⚠Warning! Setting both the allow-scripts and allow-same-origin keywords together when the embedded page has the same origin as the page containing the iframe allows the embedded page to simply remove the sandbox attribute."

"The sandboxed automatic features browsing context flag, unless the sandbox attribute's value, when split on spaces, is found to have the allow-scripts keyword (defined above) set
This flag blocks features that trigger automatically, such as automatically playing a video or automatically focusing a form control. It is relaxed by the same flag as scripts, because when scripts are enabled these features are trivially possible anyway, and it would be unfortunate to force authors to use script to do them when sandboxed rather than allowing them to use the declarative features."

-----Original Message-----
From: Zhang, Zhiqiang [mailto:zhiqiang.zhang@intel.com] 
Sent: Sunday, October 7, 2012 8:27 PM
To: Kris Krueger; public-html-testsuite@w3.org
Cc: Santos, Thiago
Subject: sandbox_002.htm needs "allow-same-origin" flag to load media.js script in the sandboxed iframe

Hi Kris,

http://w3c-test.org/html/tests/submission/Microsoft/sandbox/sandbox_002.htm


I think it needs "allow-same-origin" flag to load media.js script in the sandboxed iframe, what do you think?

-    <iframe src="support/iframe_sandbox_002.htm" sandbox="allow-scripts" style="display: none"></iframe>
+    <iframe src="support/iframe_sandbox_002.htm" sandbox="allow-scripts allow-same-origin" style="display: none"></iframe>

Thanks,
Zhiqiang

Received on Tuesday, 9 October 2012 00:04:20 UTC