From e3d67a304fa7f399cc9c201eb695b9c8faeb8412 Mon Sep 17 00:00:00 2001
From: Cheng Zhao <zcbenz@gmail.com>
Date: Tue, 4 Mar 2014 21:34:14 +0800
Subject: [PATCH] :memo: Notice on `sandbox` attribute.

---
 docs/api/browser/browser-window.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/docs/api/browser/browser-window.md b/docs/api/browser/browser-window.md
index ce019154a4d..43ef062c3e5 100644
--- a/docs/api/browser/browser-window.md
+++ b/docs/api/browser/browser-window.md
@@ -66,6 +66,14 @@ An example of enable node integration in iframe with `node-integration` set to
 <iframe src="http://jandan.net"></iframe>
 ```
 
+And you should also notice that the iframes can have access to parent window's
+javascript objects via `window.parent`, so in order to grant complete security
+from iframes, you should add `sandbox` attribute to the iframes:
+
+```html
+<iframe sandbox="allow-scripts" src="http://bbs.seu.edu.cn"></iframe>
+```
+
 ### Event: 'page-title-updated'
 
 * `event` Event