- From: Charles Pritchard <chuck@jumis.com>
- Date: Tue, 12 Mar 2013 17:36:46 -0700
- To: Web Applications Working Group WG <public-webapps@w3.org>
The web intents push has stalled a little, but in the same direction, I've hit a snag on iframe sandbox. Chrome has picked up the semantic for extensions, allowing us to define a page as we might with http headers as a sandbox. Within that context, I'd like to create an iframe, I don't want any popups, but I do want that frame to access localStorage, because it's across origins, and I want it to postMessage back. I'd also like to be able to create blank iframe via about:blank. At present, I'm blocked on both of these. Should we extend sandbox semantics? I really had a hard time reading the spec. I just want safe means of running code, and getting data across origins. With chrome extensions, you now need sandbox pages to use inline script and eval, unless it's hosted on the web. Web is now "more" trusted than some extension pages in the chrome security model; because sandbox is the primary means of making an untrusted extension page.
Received on Wednesday, 13 March 2013 00:37:14 UTC