Add a note explaining allow-modals + allow-same-origin #6401
Conversation
| and <code data-x="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code> keywords need to | ||
| be specified. Without the <code | ||
| data-x="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code> keyword, the content is | ||
| treated as cross-origin, and cross-origin content <span>cannot show simple dialogs</span>.</p> |
There was a problem hiding this comment.
Do we need to call out that the content needs to be same-origin as well?
There was a problem hiding this comment.
I added a clause explaining that. It's a little wishy-washy, as explaining this concisely without just duplicating the normative requirements is tricky. (E.g., talking about "the content" like the existing spec does.) Recall that this is in a web-developer-visible section. Any better suggestions are welcome.
There was a problem hiding this comment.
The only thing you need to change is that it needs to be same origin with the container document's origin. With that this seems fine to me.
There was a problem hiding this comment.
Hmm is that true? The "cannot show simple dialogs" check is with the top-level origin.
Re-closes #5407. /cc @carlosjoan91 @cdumez
/iframe-embed-object.html ( diff )