From b96aee50e137ebc4bb4af6b783b7bab83128c244 Mon Sep 17 00:00:00 2001
From: Cheng Zhao <zcbenz@gmail.com>
Date: Mon, 10 Mar 2014 22:33:34 +0800
Subject: [PATCH] :memo: Mention that iframe is sandboxed by default.

---
 docs/api/browser/browser-window.md | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/docs/api/browser/browser-window.md b/docs/api/browser/browser-window.md
index 43ef062c3e5d..b2bfe8382082 100644
--- a/docs/api/browser/browser-window.md
+++ b/docs/api/browser/browser-window.md
@@ -66,12 +66,15 @@ An example of enable node integration in iframe with `node-integration` set to
 <iframe src="http://jandan.net"></iframe>
 ```
 
-And you should also notice that the iframes can have access to parent window's
-javascript objects via `window.parent`, so in order to grant complete security
-from iframes, you should add `sandbox` attribute to the iframes:
+And in atom-shell, the security limitaion of iframe is stricter than normal
+browser, by default iframe is sandboxed with all permissions except the
+`allow-same-origin`, which means iframe could not access parent's js context.
+
+If you want to enable things like `parent.window.process.exit()` in iframe,
+you should explictly set `sandbox` to `none`:
 
 ```html
-<iframe sandbox="allow-scripts" src="http://bbs.seu.edu.cn"></iframe>
+<iframe sandbox="none" src="https://github.com"></iframe>
 ```
 
 ### Event: 'page-title-updated'