[whatwg] Comments on @sandbox

On Thu, 5 Nov 2009, Adam Barth wrote:
> 
> == allow-same-origin + allow-script ==
> 
> It's clear that adding both allow-same-origin and allow-script to 
> @sandbox at the same time make the sandbox useless because the sandboxed 
> content can simply reach outside the frame and remove the sandbox 
> attribute.  Should we disallow setting these values at the same time?  
> If an author does set both, maybe we should only pay attention to one?

Done. allow-same-origin now overrides allow-scripts.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Monday, 11 January 2010 18:41:31 UTC