Add note on CSP sandbox causing to iframe sandbox section #40468
Conversation
github-actions
bot
added
Content:HTTP
|
Preview URLs Flaws (3)URL:
(comment last updated: 2025-07-21 23:59:05) |
| - Documents served with the {{HTTPHeader("Content-Security-Policy")}} `sandbox` directive that don't include `allow-same-origin`. | ||
| - {{HTMLElement("iframe", "iframes")}} with a sandbox attribute that don't contain the value `allow-same-origin`. |
There was a problem hiding this comment.
Shouldn't it be "that doesn't" since "that" refers to the singular "directive"?
There was a problem hiding this comment.
The subject is the iframes - my understanding is that the modifier "with a sandbox attribute" does not change that.
But in honestly, I didn't think about it at all - the other way "feels wrong".
There was a problem hiding this comment.
The iframe doesn't "contain the value"; the attribute "contains the value". It should read "iframes (with a sandbox attribute (that doesn't contain the value))", not "iframes (with a sandbox attribute) (that don't contain the value)" (and in this case the latter should use "and which don't contain the value" anyway)
There was a problem hiding this comment.
In English, the iframe contains the attribute so it also contains the allow-same-attribute. This isn't ambiguous, but I guess our job is to be very pedantic.
- Documents served with the {{HTTPHeader("Content-Security-Policy")}} `sandbox` directive, where the directive value doesn't include `allow-same-origin`.
- {{HTMLElement("iframe", "iframes")}} with a sandbox attribute where the attribute doesn't contain the value `allow-same-origin`.
Description
Added a new bullet point to the list of cases where the
Originheader may benull.It covers the scenario where a page is served with a
Content-Security-Policy: sandboxheader without theallow-same-origindirective.Fixes #40093