- From: David Bruant <bruant.d@gmail.com>
- Date: Mon, 25 Feb 2013 09:41:23 +0100
- To: whatwg <whatwg@whatwg.org>
Hi, The current description of the allow-same-origin sandbox token in the spec is: " The allow-same-origin keyword allows the content to be treated as being from the same origin instead of forcing it into a unique origin;" This is a very scary wording. Understood naively, I understand I could host a page in the "davidbruant.github.com" domain with an iframe to anywhere (pick your favorite social network/email client website), add @sandbox="allow-same-origin" and suddenly, I'd be able to look at the content (since the iframe would be treated as being from the same origin). Obviously, that's not how it works (I say "obviously", because browser vendors would have not implemented what I just described. If they had, the world might have collapsed quickly). From what I've tested both in Firefox and Chrome, when I have an iframe from a different domain, I can get the contentDocument, but it looks like about:blank from what I can observe in the container. Where is this behavior described? Also, in some notes [1], I can read: "Second, [allow-same-origin] can be used to embed content from a third-party site, sandboxed to prevent that site from opening pop-up windows, etc, without preventing the embedded page from communicating back to its originating site, using the database APIs to store data, etc." I fail to understand what is specific about allow-same-origin that allows that without adding also allow-scripts or allow-forms. As a more general question: does iframe@sandbox="allow-same-origin" make a page and a cross-origin iframe further connected than they are currently without the keyword? Thanks, David [1] http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#attr-iframe-sandbox-allow-same-origin
Received on Monday, 25 February 2013 08:41:54 UTC