- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 12 Jan 2010 02:45:21 +0000 (UTC)
On Tue, 12 Jan 2010, Ian Hickson wrote: > > On Thu, 5 Nov 2009, Adam Barth wrote: > > > > == allow-same-origin + allow-script == > > > > It's clear that adding both allow-same-origin and allow-script to > > @sandbox at the same time make the sandbox useless because the > > sandboxed content can simply reach outside the frame and remove the > > sandbox attribute. Should we disallow setting these values at the > > same time? If an author does set both, maybe we should only pay > > attention to one? > > Done. allow-same-origin now overrides allow-scripts. Er, sorry. That was a momentary lapse of attention. I've reverted this change. allow-same-origin and allow-scripts can be usefully set together when the origin of the embedded page is not the same as the origin of the embedding page. I'll add a warning about it being somewhat pointless to use them together in same-origin cases, though. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 11 January 2010 18:45:21 UTC