mirrors/electron
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions 1

📝 Mention that iframe is sandboxed by default.

Browse source
This commit is contained in:
Cheng Zhao 2014-03-10 22:33:34 +08:00
parent 337e9f9553
commit b96aee50e1
1 changed files with 7 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
docs/api/browser/browser-window.md
View file

@ -66,12 +66,15 @@ An example of enable node integration in iframe with `node-integration` set to
<iframe src="http://jandan.net"></iframe> <iframe src="http://jandan.net"></iframe>
``` ```
And you should also notice that the iframes can have access to parent window's And in atom-shell, the security limitaion of iframe is stricter than normal
javascript objects via `window.parent`, so in order to grant complete security browser, by default iframe is sandboxed with all permissions except the
from iframes, you should add `sandbox` attribute to the iframes: `allow-same-origin`, which means iframe could not access parent's js context.
If you want to enable things like `parent.window.process.exit()` in iframe,
you should explictly set `sandbox` to `none`:
```html ```html
<iframe sandbox="allow-scripts" src="http://bbs.seu.edu.cn"></iframe> <iframe sandbox="none" src="https://github.com"></iframe>
``` ```
### Event: 'page-title-updated' ### Event: 'page-title-updated'