W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2012

[whatwg] iframe sandbox attribute

From: Ian Melven <imelven@mozilla.com>
Date: Mon, 26 Mar 2012 14:37:41 -0700 (PDT)
Message-ID: <1725917564.18184421.1332797861654.JavaMail.root@zimbra1.shared.sjc1.mozilla.com>

Hi,

While working on implementing HTML5's iframe sandbox, I realized that in script, one can't
tell the difference between these two cases : <iframe> and <iframe sandbox = ''>.

In both cases, iframe.sandbox will be '' (the empty string). This is
true in Webkit and IE10's implementations, as far as my testing can tell (and
in my work-in-progress implementation for Firefox also). 

There's also no way to clear sandboxing from an <iframe> without using something along
the lines of .removeAttribute.

Due to this and some sentiment expressed by others at Mozilla against PutForwards
(the HTML5 spec specifies [PutForwards=value] on <iframe>'s sandbox attribute, which is 
defined as a DOMSettableTokenList), I would like to propose a possible modification
to the spec : changing <iframe> sandbox to be |string? sandbox| instead of a DOMSettableTokenList.

It is my understanding that this matches what Webkit has implemented. Additionally, 
sandbox = null would mean there is no sandbox attribute (i.e. <iframe>) and sandbox = '' would
mean the iframe is fully sandboxed with no permissions granted (ie. <iframe sandbox=''>).

This allows script to tell if an iframe is actually sandboxed or not (well, if it's intended to be
sandboxed or not, to be exact, since changing flags doesn't take affect immediately, per the 
HTML5 spec), allows adding and removing sandboxing via the attribute itself, and avoids the need for
a PutForwards.

Comments and feedback are very welcome !

thank you,
ian
Received on Monday, 26 March 2012 14:37:41 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:40 UTC