![]() The sandbox attribute is unsupported in Internet Explorer 9 and earlier.Such content should be also served from a separate origin to limit potential damage. Sandboxing is useless if the attacker can display content outside a sandboxed iframe - such as if the viewer opens the frame in a new tab.When the embedded document has the same origin as the embedding page, it is strongly discouraged to use both allow-scripts and allow-same-origin, as that lets the embedded document remove the sandbox attribute - making it no more secure than not using the sandbox attribute at all.allow-top-navigation-by-user-activation: Lets the resource navigate the top-level browsing context, but only if initiated by a user gesture.allow-top-navigation: Lets the resource navigate the top-level browsing context (the one named _top).allow-storage-access-by-user-activation Experimental: Lets the resource request access to the parent's storage capabilities with the Storage Access API (en-US).allow-scripts: Lets the resource run scripts (but not create popup windows).allow-same-origin: If this token is not used, the resource is treated as being from a special origin that always fails the same-origin policy (en-US).allow-presentation: Lets the resource start a presentation session (en-US).For example, this can safely sandbox an advertisement without forcing the same restrictions upon the page the ad links to. allow-popups-to-escape-sandbox: Lets the sandboxed document open new windows without those windows inheriting the sandboxing.If this keyword is not used, the popup will silently fail to open. allow-popups: Allows popups (such as window.open(), target="_blank", or showModalDialog()).allow-pointer-lock: Lets the resource use the Pointer Lock API.allow-orientation-lock: Lets the resource lock the screen orientation (en-US). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |