On Thu, 5 Nov 2009, Adam Barth wrote:
One interesting feature of @sandbox is that the hosting page can change
the value of the sandbox attribute. Even though it's clear that having
both allow-same-origin and allow-script at the *same* time lets the
sandboxed content escape, it's probably
On Thu, 5 Nov 2009, Adam Barth wrote:
If a page contains a sandboxed frame, the document contained in the
frame is only sandboxed because the user encountered the document via
the frame. If the use encounters the same document directly (e.g., in a
top-level browsing context), then the
On Thu, 5 Nov 2009, Adam Barth wrote:
== allow-same-origin + allow-script ==
It's clear that adding both allow-same-origin and allow-script to
@sandbox at the same time make the sandbox useless because the sandboxed
content can simply reach outside the frame and remove the sandbox
On Tue, 12 Jan 2010, Ian Hickson wrote:
On Thu, 5 Nov 2009, Adam Barth wrote:
== allow-same-origin + allow-script ==
It's clear that adding both allow-same-origin and allow-script to
@sandbox at the same time make the sandbox useless because the
sandboxed content can simply reach
As some of you know, WebKit is reviewing a patch to add the sandbox
attribute to frames, as specced in HTML5. I'm hoping this will
motivate various folks to review @sandbox and give their feedback.
== allow-same-origin + allow-script ==
It's clear that adding both allow-same-origin and
I'll respond in more depth later, but some quick notes since you're
reviewing a patch:
On Thu, 5 Nov 2009, Adam Barth wrote:
One interesting feature of @sandbox is that the hosting page can change
the value of the sandbox attribute. Even though it's clear that having
both
On Thu, Nov 5, 2009 at 9:11 PM, Ian Hickson i...@hixie.ch wrote:
I'll respond in more depth later, but some quick notes since you're
reviewing a patch:
Thanks. The plan is to implement the spec as currently written and
then track changes to the spec.
On Thu, 5 Nov 2009, Adam Barth wrote: