On Thu, Mar 23, 2017 at 1:49 AM, Tapan Anand <[email protected]> wrote:
> Does caja support the src attribute of iframe? I see the iframe tag > whitelisted in the whitelist file (html4-elements-whitelist.json) but > when I try to run the code that I have shared in this plunker: > https://plnkr.co/edit/dQoxqpZBGTUNe0k1W8QM > The childPage is not fetched at all. > ... > I just wanted to make sure that Caja does sanitize all content written > into the iframe using document.write? > Yes, that is all correct. Caja does not implement loading iframe src, but the guest code can create an iframe and manipulate it using document.write or DOM operations, and it is sandboxed just as the outer document is. -- --- You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
