This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 25586 - In this example, a gadget from another site is embedded. The gadget has scripting and forms enabled, [...]
Summary: In this example, a gadget from another site is embedded. The gadget has scrip...
Status: RESOLVED NEEDSINFO
Alias: None
Product: WHATWG
Classification: Unclassified
Component: HTML (show other bugs)
Version: unspecified
Hardware: Other other
: P3 normal
Target Milestone: Unsorted
Assignee: Ian 'Hixie' Hickson
QA Contact: contributor
URL: http://www.whatwg.org/specs/web-apps/...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-05-06 22:10 UTC by contributor
Modified: 2014-07-29 20:40 UTC (History)
2 users (show)

See Also:

Attachments

Description contributor 2014-05-06 22:10:35 UTC 
Specification: http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html
Multipage: http://www.whatwg.org/C#the-iframe-element
Complete: http://www.whatwg.org/c#the-iframe-element
Referrer: https://www.google.ca/

Comment:
In this example, a gadget from another site is embedded. The gadget has
scripting and forms enabled, and the origin sandbox restrictions are lifted,
allowing the gadget to communicate with its originating server. The sandbox is
still useful, however, as it disables plugins and popups, thus reducing the
risk of the user being exposed to malware and other annoyances.

Posted from: 192.156.112.151
User agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36
Comment 1 Ian 'Hixie' Hickson 2014-05-07 18:35:48 UTC 
If both allow-same-origin and allow-script are enabled, the iframe can just reach out and remove the sandbox attribute altogether. So it's not useful.
Comment 2 Ian 'Hixie' Hickson 2014-07-29 20:40:53 UTC 
Not sure what to do here.