Re: Question on Iframe sandbox attribute and allow-forms keyword

On May 11, 2010, at 12:12 PM, Maciej Stachowiak wrote:

> On May 11, 2010, at 10:26 AM, Abhishek Arya wrote:
>> Hi All,
>> I have a question on the iframe sandbox attribute -
>> .
>> Q1: If allow-forms keyword is not set, do the forms need to be
>> completely disabled ? Does disabled only mean to block form  
>> submission
>> or disable the form control altogether for user input (as in
>> Q2: Would the input elements outside of form be disabled as well ? I
>> think not, right ?
>>> From Spec, i see two statements::
>> 1. "When the attribute (sandbox) is set, the content is treated as
>> being from a unique origin, forms and scripts are disabled, links are
>> prevented from targeting other browsing contexts, and plugins are
>> disabled. "
>> 2. "The sandboxed forms browsing context flag, unless the sandbox
>> attribute's value, when split on spaces, is found to have the
>> allow-forms keyword set
>>    This flag blocks form submission."
> From what you quote, it sounds like it should only block form  
> submission, but should not disable form controls.

To follow up on this a little, the phrase "blocks form submission" in  
the spec links to this step of the form submission algorithm, which is  
a normative requirement:

Both of the statements you cite are just informative statements of  
fact, not normative requirements.

It would be nice if someone else confirm this reading.


Received on Tuesday, 11 May 2010 20:20:38 UTC