Re: [whatwg] Proposal: Two changes to iframe@sandbox

On Mon, May 11, 2015 at 4:02 PM, Chris Coyier <chriscoyier@gmail.com> wrote:

> I'd think popups would be killed by default and allow-popups would allow
> them. Or if you need a new value, allow-obnoxious-things could work ;)
>

I would prefer to simply remove the functionality. :)

If we do decide that we need `alert()` and friends, I would suggest that
`allow-popups` is the wrong flag to use. The advertising use case I noted
at the top pretty much requires `window.open`/`target="_blank"` to work
correctly. If those only work when `alert()` is enabled, then we wouldn't
solve the issue.


> Like navigator.geolocation (so we regex and strip it).
>

I think permissions for iframes in general are a separate question, but an
important one to deal with.


> The worst offender: linking to things that are .htpasswd protected and it
> pops up that authentication modal.
>

I wouldn't be terribly averse to dropping support for that inside a
sandbox. Especially a sandbox without `allow-same-origin`.

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Monday, 11 May 2015 14:14:04 UTC