W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2010

[whatwg] Comments on @sandbox

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 12 Jan 2010 02:45:21 +0000 (UTC)
Message-ID: <Pine.LNX.4.62.1001120243190.13493@hixie.dreamhostps.com>
On Tue, 12 Jan 2010, Ian Hickson wrote:
>
> On Thu, 5 Nov 2009, Adam Barth wrote:
> > 
> > == allow-same-origin + allow-script ==
> > 
> > It's clear that adding both allow-same-origin and allow-script to 
> > @sandbox at the same time make the sandbox useless because the 
> > sandboxed content can simply reach outside the frame and remove the 
> > sandbox attribute.  Should we disallow setting these values at the 
> > same time?  If an author does set both, maybe we should only pay 
> > attention to one?
>
> Done. allow-same-origin now overrides allow-scripts.

Er, sorry. That was a momentary lapse of attention. I've reverted this 
change.

allow-same-origin and allow-scripts can be usefully set together when the 
origin of the embedded page is not the same as the origin of the embedding 
page. I'll add a warning about it being somewhat pointless to use them 
together in same-origin cases, though.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 11 January 2010 18:45:21 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:20 UTC