- From: Tab Atkins Jr. <jackalmage@gmail.com>
- Date: Mon, 30 Aug 2010 10:02:30 -0700
While talking with the implementor of @srcdoc in Webkit, it came up that, though @srcdoc is *designed* for use with @sandbox, the author still has to explicitly add @sandbox to the <iframe> or else they don't get the sandbox security model. Can we make this automatic? Specifically, when <iframe srcdoc=foo></iframe> is specified (without @sandbox), it drops into the sandbox security model as if <iframe sandbox srcdoc=foo></iframe> was used. If @sandbox is explicitly added, its value is instead used, so the author can set the sandbox security flags if desired. This would mean that there is no way for an author to use @srcdoc *without* sandboxing. This appears to be a minority use-case in the first place (as far as I can tell, it's pretty much just useful for testing purposes), but the author can always use a data: url in that case. As a seperate issue, a @srcdoc <iframe> should be able to receive @seamless as well, even when it's officially unique-origin (that is, when the author doesn't go out of their way to set @sandbox=allow-same-origin). There is precedent for this in the spec - a text/html-sandboxed resource loaded into an iframe (which is required to be unique-origin) can receive @seamless, because it's not "actually" cross-origin; it only acts that way for particular security purposes which don't apply to the use of @seamless here. ~TJ
Received on Monday, 30 August 2010 10:02:30 UTC