W3C home > Mailing lists > Public > whatwg@whatwg.org > August 2010

[whatwg] Question on iframe.srcdoc address (about:srcdoc)

From: Tab Atkins Jr. <jackalmage@gmail.com>
Date: Tue, 10 Aug 2010 10:54:31 -0700
Message-ID: <AANLkTimTr2sT-znvbqyZWvuR0HHqM42T2aD6VSgkZ2wv@mail.gmail.com>
On Tue, Aug 10, 2010 at 10:30 AM, Tab Atkins Jr. <jackalmage at gmail.com> wrote:
> 1. data: urls are unique-origin automatically, and there's no special
> handling of that wrt sandbox=allow-same-origin (that is, the flag does
> nothing, because the url isn't same-origin to begin with). ?@srcdoc,
> on the other hand, should be same-origin by default (though behind a
> sandbox, and thus *treated* as unique-origin unless the
> allow-same-origin flag is set). ?Thus, roundtripping the url back into
> @src would produce a document with different behavior.

Sorry, I was misreading part of the spec.  data: urls themselves do
indeed have a unique origin, but a Document generated from a data: url
has the same origin as the including Document (so <iframe
src=data:foo></iframe> is same-origin).

~TJ
Received on Tuesday, 10 August 2010 10:54:31 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:26 UTC