Thomas Thomas - 3 years ago 236
HTML Question

Sandboxing, IFrame, and allow-same-origin

I have been reading about the HTML5 additions to the

tag. One of the additions is the inclusion of sandboxing flags that allow the document loaded into the
to interact with its parent browser context.

After reading some of the documentation, I am looking for a bit of clarity. I have read MDN's description of the

Allows the content to be treated as being from its normal origin. If
this keyword is not used, the embedded content is treated as being
from a unique origin.

Not hugely, helpful, I think, after having read W3C's specification:

...[I]t can be used to embed content from a third-party site,
sandboxed to prevent that site from opening pop-up windows, etc,
without preventing the embedded page from communicating back to its
originating site, using the database APIs to store data, etc.

My question is specifically about what MDN refers to as the "normal origin" in light of W3C's specification: when refering to the "normal origin" is MDN stating that the content of document contained within the
tag is treated as if it shares the origin of the page from which the document originates, e.g. a YouTube video believes - and can communicate as if - it is still apart of YouTube? Or, does the
document have access to the parent browser context?

Answer Source

You can't access the document between an iFrame and the Parent window (from different domains). To communicate between frames in you'd need to use postMessage.

Using the allow-same-origin allows you to use, for example, cookies that are in the iFrame.

Here's a good reading to understand better iFrames' sandbox:

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download