Question on Iframe sandbox attribute and allow-forms keyword

Hi All,

I have a question on the iframe sandbox attribute -

Q1: If allow-forms keyword is not set, do the forms need to be
completely disabled ? Does disabled only mean to block form submission
or disable the form control altogether for user input (as in
Q2: Would the input elements outside of form be disabled as well ? I
think not, right ?

>From Spec, i see two statements::
1. "When the attribute (sandbox) is set, the content is treated as
being from a unique origin, forms and scripts are disabled, links are
prevented from targeting other browsing contexts, and plugins are
disabled. "

2. "The sandboxed forms browsing context flag, unless the sandbox
attribute's value, when split on spaces, is found to have the
allow-forms keyword set
     This flag blocks form submission."

Thanks and Regards,
Abhishek Arya
Google Chrome Security Team

Received on Tuesday, 11 May 2010 18:59:31 UTC