Add a note explaining allow-modals + allow-same-origin

Re-closes #5407
whatwg · Feb 23, 2021 · 5f626a1 · 5f626a1
1 parent 25d7190
commit 5f626a1
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/source b/source
@@ -30461,6 +30461,16 @@ interface <dfn>HTMLIFrameElement</dfn> : <span>HTMLElement</span> {
   data-x="attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</code> will have an effect
   in such non-conformant markup.</p>
 
+  <p class="note">To allow <code data-x="dom-alert">alert()</code>, <code
+  data-x="dom-confirm">confirm()</code>, and <code data-x="dom-prompt">prompt()</code> inside
+  sandboxed content, both the <code data-x="attr-iframe-sandbox-allow-modals">allow-modals</code>
+  and <code data-x="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code> keywords need to
+  be specified, and the loaded URL needs to be <span>same origin</span> with the <span>top-level
+  origin</span>. Without the <code
+  data-x="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code> keyword, the content is
+  always treated as cross-origin, and cross-origin content <span>cannot show simple
+  dialogs</span>.</p>
+
   <p class="warning">Setting both the <code
   data-x="attr-iframe-sandbox-allow-scripts">allow-scripts</code> and <code
   data-x="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code> keywords together when the