- From: Ian Melven <imelven@mozilla.com>
- Date: Mon, 26 Mar 2012 14:37:41 -0700 (PDT)
Hi, While working on implementing HTML5's iframe sandbox, I realized that in script, one can't tell the difference between these two cases : <iframe> and <iframe sandbox = ''>. In both cases, iframe.sandbox will be '' (the empty string). This is true in Webkit and IE10's implementations, as far as my testing can tell (and in my work-in-progress implementation for Firefox also). There's also no way to clear sandboxing from an <iframe> without using something along the lines of .removeAttribute. Due to this and some sentiment expressed by others at Mozilla against PutForwards (the HTML5 spec specifies [PutForwards=value] on <iframe>'s sandbox attribute, which is defined as a DOMSettableTokenList), I would like to propose a possible modification to the spec : changing <iframe> sandbox to be |string? sandbox| instead of a DOMSettableTokenList. It is my understanding that this matches what Webkit has implemented. Additionally, sandbox = null would mean there is no sandbox attribute (i.e. <iframe>) and sandbox = '' would mean the iframe is fully sandboxed with no permissions granted (ie. <iframe sandbox=''>). This allows script to tell if an iframe is actually sandboxed or not (well, if it's intended to be sandboxed or not, to be exact, since changing flags doesn't take affect immediately, per the HTML5 spec), allows adding and removing sandboxing via the attribute itself, and avoids the need for a PutForwards. Comments and feedback are very welcome ! thank you, ian
Received on Monday, 26 March 2012 14:37:41 UTC