diff --git a/docs/api/browser-window.md b/docs/api/browser-window.md
index 0e75e86a51f..3b9e7f0d09d 100644
--- a/docs/api/browser-window.md
+++ b/docs/api/browser-window.md
@@ -54,8 +54,9 @@ normal browsers, see [Web Security](web-security.md) for more.
* `show` Boolean - Whether window should be shown when created
* `frame` Boolean - Specify `false` to create a
[Frameless Window](frameless-window.md)
- * `node-integration` String - Can be `all`, `except-iframe`,
- `manual-enable-iframe` or `disable`.
+ * `node-integration` String - Default value is `except-iframe`, can also be
+ `all`, `manual-enable-iframe` or `disable`, see
+ [Web Security](web-security.md) for more informations.
* `accept-first-mouse` Boolean - Whether the web view accepts a single
mouse-down event that simultaneously activates the window
* `auto-hide-menu-bar` Boolean - Auto hide the menu bar unless the `Alt`
@@ -80,35 +81,6 @@ Creates a new `BrowserWindow` with native properties set by the `options`.
Usually you only need to set the `width` and `height`, other properties will
have decent default values.
-By default the `node-integration` option is `except-iframe`, which means node
-integration is disabled in all iframes, . You can also set it to `all`, with
-which node integration is available to the main page and all its iframes, or
-`manual-enable-iframe`, which is like `except-iframe`, but would enable iframes
-whose name is suffixed by `-enable-node-integration`. And setting to `disable`
-would disable the node integration in both the main page and its iframes.
-
-An example of enable node integration in iframe with `node-integration` set to
-`manual-enable-iframe`:
-
-```html
-
-
-
-
-
-```
-
-And in atom-shell, the security limitation of iframe is stricter than normal
-browser, by default iframe is sandboxed with all permissions except the
-`allow-same-origin`, which means iframe could not access parent's js context.
-
-If you want to enable things like `parent.window.process.exit()` in iframe,
-you should explicitly set `sandbox` to `none`:
-
-```html
-
-```
-
### Event: 'page-title-updated'
* `event` Event
diff --git a/docs/api/web-security.md b/docs/api/web-security.md
index 8143e5f8494..fa78342dd1d 100644
--- a/docs/api/web-security.md
+++ b/docs/api/web-security.md
@@ -18,4 +18,45 @@ the `iframe`'s name to disable this:
```
+## Frames are sandboxed by default
+
+In normal browsers, `iframe`s are not sandboxed by default, which means a remote
+page in `iframe` can easily access its parent's JavaScript context.
+
+In atom-shell because the parent frame may have the power to access native
+resources, this could cause security problems. In order to fix it, `iframe`s
+in atom-shell are sandboxed with all permissions except the `allow-same-origin`
+by default.
+
+If you want to enable things like `parent.window.process.exit()` in `iframe`s,
+you need to explicitly add `allow-same-origin` to the `sandbox` attribute, or
+just set `sandbox` to `none`:
+
+```html
+
+```
+
+## Node integration in frames
+
+The `node-integration` option of [BrowserWindow](browser-window.md) controls
+whether node integration is enabled in web page and its `iframe`s.
+
+By default the `node-integration` option is `except-iframe`, which means node
+integration is disabled in all `iframe`s. You can also set it to `all`, with
+which node integration is available to the main page and all its `iframe`s, or
+`manual-enable-iframe`, which is like `except-iframe`, but enables `iframe`s
+whose name contains string `enable-node-integration`. And setting to `disable`
+would disable the node integration in both the main page and its `iframe`s.
+
+An example of enable node integration in `iframe` with `node-integration` set to
+`manual-enable-iframe`:
+
+```html
+
+
+
+
+
+```
+
[x-frame-options](https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options)