[Webkit-unassigned] [Bug 21288] Implement HTML5's sandbox attribute for iframes
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Nov 11 11:45:18 PST 2009
https://bugs.webkit.org/show_bug.cgi?id=21288
--- Comment #28 from Adam Barth <abarth at webkit.org> 2009-11-11 11:45:15 PST ---
> Adam may have a suggestion about which object should have it. I believe in
> general we would like a member of the Frame family of objects to know how
> sandboxed the frame keeps its documents, and be consulted in cases where there
> is not a document involved, and use the document's security origin in all cases
> where there is a document involved.
I'm not sure there's a great place in Frame for this currently.
ScriptController is tempting, but sandboxing affects more than scripts. The
rest of our security-related state has document lifetime. Maybe we need to
create something here?
There's also a subtle bug for the case of
<iframe src="about:blank" sandbox></iframe>
I think that will end up sandboxing the containing frame because the
SecurityOrigin object is shared by the two frames.
In general, I think it's better to land the initial implementation and iterate
instead of trying to get everything perfect in the first patch. I'd recommend
addressing Darin's comments in this patch (because they affect most of the call
sites) and worrying about the about:blank case in a future patch.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list