Re: XSS risk from iframe@doc?

Ian Hickson wrote:
> doc="" is only meant to be used with sandbox="". I can just make it not do
> anything at all if sandbox="" isn't specified, if that helps.

Why not just make it easier and say that doc="" is always processed as 
if sandbox="" were specified, even if the author didn't specific it 
explicitly?  Requiring the author to always remember to type <iframe 
doc="..." sandbox=""> just seems redundant, unless they want to specify 
some of the sandbox allow-* values.

-- 
Lachlan Hunt - Opera Software
http://lachy.id.au/
http://www.opera.com/

Received on Sunday, 17 January 2010 21:01:46 UTC