- From: Tab Atkins Jr. <jackalmage@gmail.com>
- Date: Tue, 10 Aug 2010 10:54:31 -0700
On Tue, Aug 10, 2010 at 10:30 AM, Tab Atkins Jr. <jackalmage at gmail.com> wrote: > 1. data: urls are unique-origin automatically, and there's no special > handling of that wrt sandbox=allow-same-origin (that is, the flag does > nothing, because the url isn't same-origin to begin with). ?@srcdoc, > on the other hand, should be same-origin by default (though behind a > sandbox, and thus *treated* as unique-origin unless the > allow-same-origin flag is set). ?Thus, roundtripping the url back into > @src would produce a document with different behavior. Sorry, I was misreading part of the spec. data: urls themselves do indeed have a unique origin, but a Document generated from a data: url has the same origin as the including Document (so <iframe src=data:foo></iframe> is same-origin). ~TJ
Received on Tuesday, 10 August 2010 10:54:31 UTC