W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2010

[whatwg] Comments on @sandbox

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 12 Jan 2010 02:41:31 +0000 (UTC)
Message-ID: <Pine.LNX.4.62.1001120240280.8484@hixie.dreamhostps.com>
On Thu, 5 Nov 2009, Adam Barth wrote:
> 
> == allow-same-origin + allow-script ==
> 
> It's clear that adding both allow-same-origin and allow-script to 
> @sandbox at the same time make the sandbox useless because the sandboxed 
> content can simply reach outside the frame and remove the sandbox 
> attribute.  Should we disallow setting these values at the same time?  
> If an author does set both, maybe we should only pay attention to one?

Done. allow-same-origin now overrides allow-scripts.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 11 January 2010 18:41:31 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:20 UTC