Question on Iframe sandbox attribute and allow-forms keyword from Abhishek Arya on 2010-05-11 (public-html@w3.org from May 2010)

From: Abhishek Arya <aarya@google.com>
Date: Tue, 11 May 2010 10:26:21 -0700
To: public-html@w3.org
Message-ID: <AANLkTilhNeOWjpOQ6Kxo1e3GS2mSFEzJMrMC6mjagzaH@mail.gmail.com>

Hi All,

I have a question on the iframe sandbox attribute -
http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-iframe-sandbox.

Q1: If allow-forms keyword is not set, do the forms need to be
completely disabled ? Does disabled only mean to block form submission
or disable the form control altogether for user input (as in
http://www.w3.org/TR/html5/forms.html#attr-fe-disabled).
Q2: Would the input elements outside of form be disabled as well ? I
think not, right ?

>From Spec, i see two statements::
1. "When the attribute (sandbox) is set, the content is treated as
being from a unique origin, forms and scripts are disabled, links are
prevented from targeting other browsing contexts, and plugins are
disabled. "

2. "The sandboxed forms browsing context flag, unless the sandbox
attribute's value, when split on spaces, is found to have the
allow-forms keyword set
     This flag blocks form submission."

Thanks and Regards,
Abhishek Arya
Google Chrome Security Team

Received on Tuesday, 11 May 2010 18:59:31 UTC