Annotation of html5/spec/the-iframe-element.html, revision 1.244
1.233 mike 1: <!DOCTYPE html>
1.241 mike 2: <html lang="en-US-x-Hixie"><head><title>4.8.2 The iframe element — HTML5</title><link rel="stylesheet" href="alert.css"><style type="text/css">
1.1 mike 3: pre { margin-left: 2em; white-space: pre-wrap; }
4: h2 { margin: 3em 0 1em 0; }
5: h3 { margin: 2.5em 0 1em 0; }
6: h4 { margin: 2.5em 0 0.75em 0; }
7: h5, h6 { margin: 2.5em 0 1em; }
8: h1 + h2, h1 + h2 + h2 { margin: 0.75em 0 0.75em; }
9: h2 + h3, h3 + h4, h4 + h5, h5 + h6 { margin-top: 0.5em; }
10: p { margin: 1em 0; }
11: hr:not(.top) { display: block; background: none; border: none; padding: 0; margin: 2em 0; height: auto; }
12: dl, dd { margin-top: 0; margin-bottom: 0; }
13: dt { margin-top: 0.75em; margin-bottom: 0.25em; clear: left; }
14: dt + dt { margin-top: 0; }
15: dd dt { margin-top: 0.25em; margin-bottom: 0; }
16: dd p { margin-top: 0; }
17: dd dl + p { margin-top: 1em; }
18: dd table + p { margin-top: 1em; }
19: p + * > li, dd li { margin: 1em 0; }
20: dt, dfn { font-weight: bold; font-style: normal; }
1.83 mike 21: i, em { font-style: italic; }
1.1 mike 22: dt dfn { font-style: italic; }
23: pre, code { font-size: inherit; font-family: monospace; font-variant: normal; }
24: pre strong { color: black; font: inherit; font-weight: bold; background: yellow; }
25: pre em { font-weight: bolder; font-style: normal; }
26: @media screen { code { color: orangered; } code :link, code :visited { color: inherit; } }
27: var sub { vertical-align: bottom; font-size: smaller; position: relative; top: 0.1em; }
28: table { border-collapse: collapse; border-style: hidden hidden none hidden; }
29: table thead, table tbody { border-bottom: solid; }
30: table tbody th:first-child { border-left: solid; }
31: table tbody th { text-align: left; }
32: table td, table th { border-left: solid; border-right: solid; border-bottom: solid thin; vertical-align: top; padding: 0.2em; }
33: blockquote { margin: 0 0 0 2em; border: 0; padding: 0; font-style: italic; }
34:
35: .bad, .bad *:not(.XXX) { color: gray; border-color: gray; background: transparent; }
36: .matrix, .matrix td { border: none; text-align: right; }
37: .matrix { margin-left: 2em; }
38: .dice-example { border-collapse: collapse; border-style: hidden solid solid hidden; border-width: thin; margin-left: 3em; }
39: .dice-example caption { width: 30em; font-size: smaller; font-style: italic; padding: 0.75em 0; text-align: left; }
40: .dice-example td, .dice-example th { border: solid thin; width: 1.35em; height: 1.05em; text-align: center; padding: 0; }
41:
42: .toc dfn, h1 dfn, h2 dfn, h3 dfn, h4 dfn, h5 dfn, h6 dfn { font: inherit; }
1.96 mike 43: img.extra, p.overview { float: right; }
1.94 mike 44: pre.idl { border: solid thin; background: #EEEEEE; color: black; padding: 0.5em 1em; position: relative; }
1.1 mike 45: pre.idl :link, pre.idl :visited { color: inherit; background: transparent; }
1.94 mike 46: pre.idl::before { content: "IDL"; font: bold small sans-serif; padding: 0.5em; background: white; position: absolute; top: 0; margin: -1px 0 0 -4em; width: 1.5em; border: thin solid; border-radius: 0 0 0 0.5em }
1.1 mike 47: pre.css { border: solid thin; background: #FFFFEE; color: black; padding: 0.5em 1em; }
48: pre.css:first-line { color: #AAAA50; }
49: dl.domintro { color: green; margin: 2em 0 2em 2em; padding: 0.5em 1em; border: none; background: #DDFFDD; }
50: hr + dl.domintro, div.impl + dl.domintro { margin-top: 2.5em; margin-bottom: 1.5em; }
51: dl.domintro dt, dl.domintro dt * { color: black; text-decoration: none; }
52: dl.domintro dd { margin: 0.5em 0 1em 2em; padding: 0; }
53: dl.domintro dd p { margin: 0.5em 0; }
1.124 mike 54: dl.domintro:before { display: table; margin: -1em -0.5em -0.5em auto; width: auto; content: 'This box is non-normative. Implementation requirements are given below this box.'; color: black; font-style: italic; border: solid 2px; background: white; padding: 0 0.25em; }
1.1 mike 55: dl.switch { padding-left: 2em; }
56: dl.switch > dt { text-indent: -1.5em; }
57: dl.switch > dt:before { content: '\21AA'; padding: 0 0.5em 0 0; display: inline-block; width: 1em; text-align: right; line-height: 0.5em; }
58: dl.triple { padding: 0 0 0 1em; }
59: dl.triple dt, dl.triple dd { margin: 0; display: inline }
60: dl.triple dt:after { content: ':'; }
61: dl.triple dd:after { content: '\A'; white-space: pre; }
62: .diff-old { text-decoration: line-through; color: silver; background: transparent; }
63: .diff-chg, .diff-new { text-decoration: underline; color: green; background: transparent; }
64: a .diff-new { border-bottom: 1px blue solid; }
65:
66: h2 { page-break-before: always; }
67: h1, h2, h3, h4, h5, h6 { page-break-after: avoid; }
68: h1 + h2, hr + h2.no-toc { page-break-before: auto; }
69:
1.26 mike 70: p > span:not([title=""]):not([class="XXX"]):not([class="impl"]):not([class="note"]),
71: li > span:not([title=""]):not([class="XXX"]):not([class="impl"]):not([class="note"]), { border-bottom: solid #9999CC; }
1.1 mike 72:
73: div.head { margin: 0 0 1em; padding: 1em 0 0 0; }
74: div.head p { margin: 0; }
75: div.head h1 { margin: 0; }
76: div.head .logo { float: right; margin: 0 1em; }
77: div.head .logo img { border: none } /* remove border from top image */
78: div.head dl { margin: 1em 0; }
79: div.head p.copyright, div.head p.alt { font-size: x-small; font-style: oblique; margin: 0; }
80:
81: body > .toc > li { margin-top: 1em; margin-bottom: 1em; }
82: body > .toc.brief > li { margin-top: 0.35em; margin-bottom: 0.35em; }
83: body > .toc > li > * { margin-bottom: 0.5em; }
84: body > .toc > li > * > li > * { margin-bottom: 0.25em; }
85: .toc, .toc li { list-style: none; }
86:
87: .brief { margin-top: 1em; margin-bottom: 1em; line-height: 1.1; }
88: .brief li { margin: 0; padding: 0; }
89: .brief li p { margin: 0; padding: 0; }
90:
91: .category-list { margin-top: -0.75em; margin-bottom: 1em; line-height: 1.5; }
92: .category-list::before { content: '\21D2\A0'; font-size: 1.2em; font-weight: 900; }
93: .category-list li { display: inline; }
94: .category-list li:not(:last-child)::after { content: ', '; }
95: .category-list li > span, .category-list li > a { text-transform: lowercase; }
96: .category-list li * { text-transform: none; } /* don't affect <code> nested in <a> */
97:
98: .XXX { color: #E50000; background: white; border: solid red; padding: 0.5em; margin: 1em 0; }
99: .XXX > :first-child { margin-top: 0; }
100: p .XXX { line-height: 3em; }
101: .annotation { border: solid thin black; background: #0C479D; color: white; position: relative; margin: 8px 0 20px 0; }
102: .annotation:before { position: absolute; left: 0; top: 0; width: 100%; height: 100%; margin: 6px -6px -6px 6px; background: #333333; z-index: -1; content: ''; }
103: .annotation :link, .annotation :visited { color: inherit; }
104: .annotation :link:hover, .annotation :visited:hover { background: transparent; }
105: .annotation span { border: none ! important; }
106: .note { color: green; background: transparent; font-family: sans-serif; }
107: .warning { color: red; background: transparent; }
108: .note, .warning { font-weight: bolder; font-style: italic; }
1.83 mike 109: .note em, .warning em, .note i, .warning i { font-style: normal; }
1.1 mike 110: p.note, div.note { padding: 0.5em 2em; }
111: span.note { padding: 0 2em; }
112: .note p:first-child, .warning p:first-child { margin-top: 0; }
113: .note p:last-child, .warning p:last-child { margin-bottom: 0; }
114: .warning:before { font-style: normal; }
115: p.note:before { content: 'Note: '; }
116: p.warning:before { content: '\26A0 Warning! '; }
117:
118: .bookkeeping:before { display: block; content: 'Bookkeeping details'; font-weight: bolder; font-style: italic; }
119: .bookkeeping { font-size: 0.8em; margin: 2em 0; }
120: .bookkeeping p { margin: 0.5em 2em; display: list-item; list-style: square; }
1.12 mike 121: .bookkeeping dt { margin: 0.5em 2em 0; }
122: .bookkeeping dd { margin: 0 3em 0.5em; }
1.1 mike 123:
124: h4 { position: relative; z-index: 3; }
125: h4 + .element, h4 + div + .element { margin-top: -2.5em; padding-top: 2em; }
126: .element {
127: background: #EEEEFF;
128: color: black;
129: margin: 0 0 1em 0.15em;
130: padding: 0 1em 0.25em 0.75em;
131: border-left: solid #9999FF 0.25em;
132: position: relative;
133: z-index: 1;
134: }
135: .element:before {
136: position: absolute;
137: z-index: 2;
138: top: 0;
139: left: -1.15em;
140: height: 2em;
141: width: 0.9em;
142: background: #EEEEFF;
143: content: ' ';
144: border-style: none none solid solid;
145: border-color: #9999FF;
146: border-width: 0.25em;
147: }
148:
149: .example { display: block; color: #222222; background: #FCFCFC; border-left: double; margin-left: 2em; padding-left: 1em; }
150: td > .example:only-child { margin: 0 0 0 0.1em; }
151:
152: ul.domTree, ul.domTree ul { padding: 0 0 0 1em; margin: 0; }
153: ul.domTree li { padding: 0; margin: 0; list-style: none; position: relative; }
154: ul.domTree li li { list-style: none; }
155: ul.domTree li:first-child::before { position: absolute; top: 0; height: 0.6em; left: -0.75em; width: 0.5em; border-style: none none solid solid; content: ''; border-width: 0.1em; }
156: ul.domTree li:not(:last-child)::after { position: absolute; top: 0; bottom: -0.6em; left: -0.75em; width: 0.5em; border-style: none none solid solid; content: ''; border-width: 0.1em; }
157: ul.domTree span { font-style: italic; font-family: serif; }
158: ul.domTree .t1 code { color: purple; font-weight: bold; }
159: ul.domTree .t2 { font-style: normal; font-family: monospace; }
160: ul.domTree .t2 .name { color: black; font-weight: bold; }
161: ul.domTree .t2 .value { color: blue; font-weight: normal; }
162: ul.domTree .t3 code, .domTree .t4 code, .domTree .t5 code { color: gray; }
163: ul.domTree .t7 code, .domTree .t8 code { color: green; }
164: ul.domTree .t10 code { color: teal; }
165:
166: body.dfnEnabled dfn { cursor: pointer; }
167: .dfnPanel {
168: display: inline;
169: position: absolute;
170: z-index: 10;
171: height: auto;
172: width: auto;
173: padding: 0.5em 0.75em;
174: font: small sans-serif, Droid Sans Fallback;
175: background: #DDDDDD;
176: color: black;
177: border: outset 0.2em;
178: }
179: .dfnPanel * { margin: 0; padding: 0; font: inherit; text-indent: 0; }
180: .dfnPanel :link, .dfnPanel :visited { color: black; }
181: .dfnPanel p { font-weight: bolder; }
182: .dfnPanel * + p { margin-top: 0.25em; }
183: .dfnPanel li { list-style-position: inside; }
184:
185: #configUI { position: absolute; z-index: 20; top: 10em; right: 1em; width: 11em; font-size: small; }
186: #configUI p { margin: 0.5em 0; padding: 0.3em; background: #EEEEEE; color: black; border: inset thin; }
187: #configUI p label { display: block; }
188: #configUI #updateUI, #configUI .loginUI { text-align: center; }
189: #configUI input[type=button] { display: block; margin: auto; }
1.11 mike 190:
1.30 mike 191: fieldset { margin: 1em; padding: 0.5em 1em; }
192: fieldset > legend + * { margin-top: 0; }
1.21 mike 193: fieldset > :last-child { margin-bottom: 0; }
1.30 mike 194: fieldset p { margin: 0.5em 0; }
195:
1.230 mike 196: .stability {
197: position: fixed;
198: bottom: 0;
199: left: 0; right: 0;
200: margin: 0 auto 0 auto;
201: width: 50%;
202: background: maroon; color: yellow;
203: -webkit-border-radius: 1em 1em 0 0;
204: -moz-border-radius: 1em 1em 0 0;
205: border-radius: 1em 1em 0 0;
206: -moz-box-shadow: 0 0 1em #500;
207: -webkit-box-shadow: 0 0 1em #500;
208: box-shadow: 0 0 1em red;
209: padding: 0.5em 1em;
210: text-align: center;
211: }
212: .stability strong {
213: display: block;
214: }
215: .stability input {
216: appearance: none; margin: 0; border: 0; padding: 0.25em 0.5em; background: transparent; color: black;
217: position: absolute; top: -0.5em; right: 0; font: 1.25em sans-serif; text-align: center;
218: }
219: .stability input:hover {
220: color: white;
221: text-shadow: 0 0 2px black;
222: }
223: .stability input:active {
224: padding: 0.3em 0.45em 0.2em 0.55em;
225: }
226: .stability :link, .stability :visited,
227: .stability :link:hover, .stability :visited:hover {
228: background: transparent;
229: color: white;
230: }
231:
232: </style><link href="http://www.w3.org/StyleSheets/TR/W3C-WD" rel="stylesheet" type="text/css"><meta content="noindex" name="robots"><style type="text/css">
1.1 mike 233:
234: .applies thead th > * { display: block; }
235: .applies thead code { display: block; }
236: .applies tbody th { whitespace: nowrap; }
237: .applies td { text-align: center; }
238: .applies .yes { background: yellow; }
239:
1.14 mike 240: .matrix, .matrix td { border: hidden; text-align: right; }
1.1 mike 241: .matrix { margin-left: 2em; }
242:
243: .dice-example { border-collapse: collapse; border-style: hidden solid solid hidden; border-width: thin; margin-left: 3em; }
244: .dice-example caption { width: 30em; font-size: smaller; font-style: italic; padding: 0.75em 0; text-align: left; }
245: .dice-example td, .dice-example th { border: solid thin; width: 1.35em; height: 1.05em; text-align: center; padding: 0; }
246:
1.17 mike 247: td.eg { border-width: thin; text-align: center; }
248:
1.1 mike 249: #table-example-1 { border: solid thin; border-collapse: collapse; margin-left: 3em; }
250: #table-example-1 * { font-family: "Essays1743", serif; line-height: 1.01em; }
251: #table-example-1 caption { padding-bottom: 0.5em; }
252: #table-example-1 thead, #table-example-1 tbody { border: none; }
253: #table-example-1 th, #table-example-1 td { border: solid thin; }
254: #table-example-1 th { font-weight: normal; }
255: #table-example-1 td { border-style: none solid; vertical-align: top; }
256: #table-example-1 th { padding: 0.5em; vertical-align: middle; text-align: center; }
257: #table-example-1 tbody tr:first-child td { padding-top: 0.5em; }
258: #table-example-1 tbody tr:last-child td { padding-bottom: 1.5em; }
259: #table-example-1 tbody td:first-child { padding-left: 2.5em; padding-right: 0; width: 9em; }
260: #table-example-1 tbody td:first-child::after { content: leader(". "); }
261: #table-example-1 tbody td { padding-left: 2em; padding-right: 2em; }
262: #table-example-1 tbody td:first-child + td { width: 10em; }
263: #table-example-1 tbody td:first-child + td ~ td { width: 2.5em; }
264: #table-example-1 tbody td:first-child + td + td + td ~ td { width: 1.25em; }
265:
266: .apple-table-examples { border: none; border-collapse: separate; border-spacing: 1.5em 0em; width: 40em; margin-left: 3em; }
267: .apple-table-examples * { font-family: "Times", serif; }
268: .apple-table-examples td, .apple-table-examples th { border: none; white-space: nowrap; padding-top: 0; padding-bottom: 0; }
269: .apple-table-examples tbody th:first-child { border-left: none; width: 100%; }
270: .apple-table-examples thead th:first-child ~ th { font-size: smaller; font-weight: bolder; border-bottom: solid 2px; text-align: center; }
271: .apple-table-examples tbody th::after, .apple-table-examples tfoot th::after { content: leader(". ") }
272: .apple-table-examples tbody th, .apple-table-examples tfoot th { font: inherit; text-align: left; }
273: .apple-table-examples td { text-align: right; vertical-align: top; }
274: .apple-table-examples.e1 tbody tr:last-child td { border-bottom: solid 1px; }
275: .apple-table-examples.e1 tbody + tbody tr:last-child td { border-bottom: double 3px; }
276: .apple-table-examples.e2 th[scope=row] { padding-left: 1em; }
277: .apple-table-examples sup { line-height: 0; }
278:
279: .details-example img { vertical-align: top; }
280:
1.40 mike 281: #base64-table {
282: white-space: nowrap;
283: font-size: 0.6em;
284: column-width: 6em;
285: column-count: 5;
286: column-gap: 1em;
287: -moz-column-width: 6em;
288: -moz-column-count: 5;
289: -moz-column-gap: 1em;
290: -webkit-column-width: 6em;
291: -webkit-column-count: 5;
292: -webkit-column-gap: 1em;
293: }
294: #base64-table thead { display: none; }
295: #base64-table * { border: none; }
296: #base64-table tbody td:first-child:after { content: ':'; }
297: #base64-table tbody td:last-child { text-align: right; }
298:
1.1 mike 299: #named-character-references-table {
1.19 mike 300: white-space: nowrap;
1.1 mike 301: font-size: 0.6em;
1.19 mike 302: column-width: 30em;
1.1 mike 303: column-gap: 1em;
1.19 mike 304: -moz-column-width: 30em;
1.1 mike 305: -moz-column-gap: 1em;
1.19 mike 306: -webkit-column-width: 30em;
1.1 mike 307: -webkit-column-gap: 1em;
308: }
1.19 mike 309: #named-character-references-table > table > tbody > tr > td:first-child + td,
1.1 mike 310: #named-character-references-table > table > tbody > tr > td:last-child { text-align: center; }
311: #named-character-references-table > table > tbody > tr > td:last-child:hover > span { position: absolute; top: auto; left: auto; margin-left: 0.5em; line-height: 1.2; font-size: 5em; border: outset; padding: 0.25em 0.5em; background: white; width: 1.25em; height: auto; text-align: center; }
1.19 mike 312: #named-character-references-table > table > tbody > tr#entity-CounterClockwiseContourIntegral > td:first-child { font-size: 0.5em; }
1.1 mike 313:
1.2 mike 314: .glyph.control { color: red; }
315:
1.4 mike 316: @font-face {
317: font-family: 'Essays1743';
318: src: url('http://www.whatwg.org/specs/web-apps/current-work/fonts/Essays1743.ttf');
319: }
320: @font-face {
321: font-family: 'Essays1743';
322: font-weight: bold;
323: src: url('http://www.whatwg.org/specs/web-apps/current-work/fonts/Essays1743-Bold.ttf');
324: }
325: @font-face {
326: font-family: 'Essays1743';
327: font-style: italic;
328: src: url('http://www.whatwg.org/specs/web-apps/current-work/fonts/Essays1743-Italic.ttf');
329: }
330: @font-face {
331: font-family: 'Essays1743';
332: font-style: italic;
333: font-weight: bold;
334: src: url('http://www.whatwg.org/specs/web-apps/current-work/fonts/Essays1743-BoldItalic.ttf');
335: }
336:
1.61 mike 337: </style><link href="data:text/css," id="complete" rel="stylesheet" title="Complete specification"><link href="data:text/css,.impl%20%7B%20display:%20none;%20%7D%0Ahtml%20%7B%20border:%20solid%20yellow;%20%7D%20.domintro:before%20%7B%20display:%20none;%20%7D" id="author" rel="alternate stylesheet" title="Author documentation only"><link href="data:text/css,.impl%20%7B%20background:%20%23FFEEEE;%20%7D%20.domintro:before%20%7B%20background:%20%23FFEEEE;%20%7D" id="highlight" rel="alternate stylesheet" title="Highlight implementation requirements"><script type="text/javascript">
1.45 mike 338: function getCookie(name) {
339: var params = location.search.substr(1).split("&");
340: for (var index = 0; index < params.length; index++) {
341: if (params[index] == name)
342: return "1";
343: var data = params[index].split("=");
344: if (data[0] == name)
345: return unescape(data[1]);
346: }
347: var cookies = document.cookie.split("; ");
348: for (var index = 0; index < cookies.length; index++) {
349: var data = cookies[index].split("=");
350: if (data[0] == name)
351: return unescape(data[1]);
352: }
353: return null;
354: }
1.241 mike 355: </script>
1.1 mike 356: <script src="link-fixup.js"></script>
1.146 mike 357: <link href="the-img-element.html" title="4.8.1 The img element" rel="prev">
358: <link href="index.html#contents" title="Table of contents" rel="contents">
359: <link href="the-embed-element.html" title="4.8.3 The embed element" rel="next">
1.167 mike 360: </head><body onload="fixBrokenLink();" class="split chapter"><div class="head" id="head">
1.1 mike 361: <p><a href="http://www.w3.org/"><img alt="W3C" height="48" src="http://www.w3.org/Icons/w3c_home" width="72"></a></p>
1.3 mike 362:
1.1 mike 363: <h1>HTML5</h1>
1.244 ! mike 364: <h2 class="no-num no-toc" id="a-vocabulary-and-associated-apis-for-html-and-xhtml">A vocabulary and associated APIs for HTML and XHTML</h2><p>This is revision 1.5614.</p>
1.230 mike 365:
1.243 mike 366: <h2 class="no-num no-toc" id="w3c-working-draft-29-march-2012">W3C Working Draft 29 March 2012</h2>
1.230 mike 367: </div>
1.146 mike 368:
1.230 mike 369: <nav class="prev_next">
1.146 mike 370: <a href="the-img-element.html">← 4.8.1 The img element</a> –
371: <a href="index.html#contents">Table of contents</a> –
372: <a href="the-embed-element.html">4.8.3 The embed element →</a>
373: </nav>
1.1 mike 374:
1.230 mike 375: <h4 id="the-iframe-element"><span class="secno">4.8.2 </span>The <dfn><code>iframe</code></dfn> element</h4>
376:
377: <dl class="element"><dt><a href="element-definitions.html#element-dfn-categories" title="element-dfn-categories">Categories</a>:</dt>
1.1 mike 378: <dd><a href="content-models.html#flow-content">Flow content</a>.</dd>
379: <dd><a href="content-models.html#phrasing-content">Phrasing content</a>.</dd>
380: <dd><a href="content-models.html#embedded-content">Embedded content</a>.</dd>
381: <dd><a href="content-models.html#interactive-content">Interactive content</a>.</dd>
1.126 mike 382: <dd><a href="content-models.html#palpable-content">Palpable content</a>.</dd>
1.170 mike 383: <dt><a href="element-definitions.html#element-dfn-contexts" title="element-dfn-contexts">Contexts in which this element can be used</a>:</dt>
1.1 mike 384: <dd>Where <a href="content-models.html#embedded-content">embedded content</a> is expected.</dd>
1.170 mike 385: <dt><a href="element-definitions.html#element-dfn-content-model" title="element-dfn-content-model">Content model</a>:</dt>
1.18 mike 386: <dd>Text that conforms to <a href="#iframe-content-model">the requirements given in the prose</a>.</dd>
1.170 mike 387: <dt><a href="element-definitions.html#element-dfn-attributes" title="element-dfn-attributes">Content attributes</a>:</dt>
1.146 mike 388: <dd><a href="global-attributes.html#global-attributes">Global attributes</a></dd>
1.1 mike 389: <dd><code title="attr-iframe-src"><a href="#attr-iframe-src">src</a></code></dd>
390: <dd><code title="attr-iframe-srcdoc"><a href="#attr-iframe-srcdoc">srcdoc</a></code></dd>
391: <dd><code title="attr-iframe-name"><a href="#attr-iframe-name">name</a></code></dd>
392: <dd><code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code></dd>
393: <dd><code title="attr-iframe-seamless"><a href="#attr-iframe-seamless">seamless</a></code></dd>
1.146 mike 394: <dd><code title="attr-dim-width"><a href="dimension-attributes.html#attr-dim-width">width</a></code></dd>
395: <dd><code title="attr-dim-height"><a href="dimension-attributes.html#attr-dim-height">height</a></code></dd>
1.170 mike 396: <dt><a href="element-definitions.html#element-dfn-dom" title="element-dfn-dom">DOM interface</a>:</dt>
1.1 mike 397: <dd>
398: <pre class="idl">interface <dfn id="htmliframeelement">HTMLIFrameElement</dfn> : <a href="elements.html#htmlelement">HTMLElement</a> {
399: attribute DOMString <a href="#dom-iframe-src" title="dom-iframe-src">src</a>;
400: attribute DOMString <a href="#dom-iframe-srcdoc" title="dom-iframe-srcdoc">srcdoc</a>;
401: attribute DOMString <a href="#dom-iframe-name" title="dom-iframe-name">name</a>;
1.81 mike 402: [PutForwards=<span title="dom-DOMSettableTokenList-value">value</span>] readonly attribute <a href="infrastructure.html#domsettabletokenlist">DOMSettableTokenList</a> <a href="#dom-iframe-sandbox" title="dom-iframe-sandbox">sandbox</a>;
1.1 mike 403: attribute boolean <a href="#dom-iframe-seamless" title="dom-iframe-seamless">seamless</a>;
1.146 mike 404: attribute DOMString <a href="dimension-attributes.html#dom-dim-width" title="dom-dim-width">width</a>;
405: attribute DOMString <a href="dimension-attributes.html#dom-dim-height" title="dom-dim-height">height</a>;
1.68 mike 406: readonly attribute Document? <a href="#dom-iframe-contentdocument" title="dom-iframe-contentDocument">contentDocument</a>;
407: readonly attribute <a href="browsers.html#windowproxy">WindowProxy</a>? <a href="#dom-iframe-contentwindow" title="dom-iframe-contentWindow">contentWindow</a>;
1.1 mike 408: };</pre>
409: </dd>
1.101 mike 410: </dl><p>The <code><a href="#the-iframe-element">iframe</a></code> element <a href="rendering.html#represents">represents</a> a
1.230 mike 411: <a href="browsers.html#nested-browsing-context">nested browsing context</a>.</p>
412:
413: <p>The <dfn id="attr-iframe-src" title="attr-iframe-src"><code>src</code></dfn> attribute
1.1 mike 414: gives the address of a page that the <a href="browsers.html#nested-browsing-context">nested browsing
415: context</a> is to contain. The attribute, if present, must be a
416: <a href="urls.html#valid-non-empty-url-potentially-surrounded-by-spaces">valid non-empty URL potentially surrounded by
1.230 mike 417: spaces</a>.</p>
418:
419:
420: <p>The <dfn id="attr-iframe-srcdoc" title="attr-iframe-srcdoc"><code>srcdoc</code></dfn>
1.1 mike 421: attribute gives the content of the page that the <a href="browsers.html#nested-browsing-context">nested
1.32 mike 422: browsing context</a> is to contain. The value of the attribute is
1.230 mike 423: the source of <dfn id="an-iframe-srcdoc-document">an <code>iframe</code> <code title="attr-iframe-srcdoc">srcdoc</code> document</dfn>.</p>
424:
425: <p>For <code><a href="#the-iframe-element">iframe</a></code> elements in <a href="infrastructure.html#html-documents">HTML documents</a>,
1.101 mike 426: the attribute, if present, must have a value using <a href="syntax.html#syntax">the HTML
1.1 mike 427: syntax</a> that consists of the following syntactic components,
1.230 mike 428: in the given order:</p>
429:
430: <ol><li>Any number of <a href="syntax.html#syntax-comments" title="syntax-comments">comments</a> and
1.1 mike 431: <a href="common-microsyntaxes.html#space-character" title="space character">space characters</a>.</li>
432:
1.101 mike 433: <li>Optionally, a <a href="syntax.html#syntax-doctype" title="syntax-doctype">DOCTYPE</a>.
1.1 mike 434:
1.101 mike 435: </li><li>Any number of <a href="syntax.html#syntax-comments" title="syntax-comments">comments</a> and
1.1 mike 436: <a href="common-microsyntaxes.html#space-character" title="space character">space characters</a>.</li>
437:
1.146 mike 438: <li>The root element, in the form of an <code><a href="the-html-element.html#the-html-element">html</a></code> <a href="syntax.html#syntax-elements" title="syntax-elements">element</a>.</li>
1.1 mike 439:
1.101 mike 440: <li>Any number of <a href="syntax.html#syntax-comments" title="syntax-comments">comments</a> and
1.1 mike 441: <a href="common-microsyntaxes.html#space-character" title="space character">space characters</a>.</li>
442:
1.82 mike 443: </ol><p>For <code><a href="#the-iframe-element">iframe</a></code> elements in <a href="infrastructure.html#xml-documents">XML documents</a>,
1.1 mike 444: the attribute, if present, must have a value that matches the
1.145 mike 445: production labeled <code><a href="dom.html#document">document</a></code> in the XML
1.230 mike 446: specification. <a href="references.html#refsXML">[XML]</a></p>
447:
448: <p>If the <code title="attr-iframe-src"><a href="#attr-iframe-src">src</a></code> attribute and the
1.1 mike 449: <code title="attr-iframe-srcdoc"><a href="#attr-iframe-srcdoc">srcdoc</a></code> attribute are both
450: specified together, the <code title="attr-iframe-srcdoc"><a href="#attr-iframe-srcdoc">srcdoc</a></code>
451: attribute takes priority. This allows authors to provide a fallback
452: <a href="urls.html#url">URL</a> for legacy user agents that do not support the
1.230 mike 453: <code title="attr-iframe-srcdoc"><a href="#attr-iframe-srcdoc">srcdoc</a></code> attribute.</p>
454:
455: <div class="impl">
1.1 mike 456:
457: <p>When an <code><a href="#the-iframe-element">iframe</a></code> element is first <a href="infrastructure.html#insert-an-element-into-a-document" title="insert
458: an element into a document">inserted into a document</a>, the
459: user agent must create a <a href="browsers.html#nested-browsing-context">nested browsing context</a>, and
460: then <a href="#process-the-iframe-attributes">process the <code>iframe</code> attributes</a> for the
461: first time.</p>
462:
463: <p>Whenever an <code><a href="#the-iframe-element">iframe</a></code> element with a <a href="browsers.html#nested-browsing-context">nested
1.32 mike 464: browsing context</a> has its <code title="attr-iframe-srcdoc"><a href="#attr-iframe-srcdoc">srcdoc</a></code> attribute set, changed, or
465: removed, the user agent must <a href="#process-the-iframe-attributes">process the <code>iframe</code>
1.1 mike 466: attributes</a>.</p>
467:
468: <p>Similarly, whenever an <code><a href="#the-iframe-element">iframe</a></code> element with a
469: <a href="browsers.html#nested-browsing-context">nested browsing context</a> but with no <code title="attr-iframe-srcdoc"><a href="#attr-iframe-srcdoc">srcdoc</a></code> attribute specified has its
1.32 mike 470: <code title="attr-iframe-src"><a href="#attr-iframe-src">src</a></code> attribute set, changed, or
471: removed, the user agent must <a href="#process-the-iframe-attributes">process the <code>iframe</code>
1.46 mike 472: attributes</a>.</p>
1.149 mike 473:
1.1 mike 474: <p>When the user agent is to <dfn id="process-the-iframe-attributes">process the <code>iframe</code>
475: attributes</dfn>, it must run the first appropriate steps from the
476: following list:</p>
477:
478: <dl class="switch"><dt>If the <code title="attr-iframe-srcdoc"><a href="#attr-iframe-srcdoc">srcdoc</a></code> attribute
479: is specified</dt>
480:
1.46 mike 481: <dd><p><a href="history.html#navigate">Navigate</a> the element's
1.34 mike 482: <a href="browsers.html#browsing-context">browsing context</a> to a resource whose
1.146 mike 483: <a href="urls.html#content-type">Content-Type</a> is <code><a href="iana.html#text-html">text/html</a></code>, whose
1.34 mike 484: <a href="urls.html#url">URL</a> is <code><a href="urls.html#about:srcdoc">about:srcdoc</a></code>, and whose data
485: consists of the value of the attribute. The resulting
1.145 mike 486: <code><a href="dom.html#document">Document</a></code> must be considered <a href="#an-iframe-srcdoc-document">an
1.34 mike 487: <code>iframe</code> <code title="attr-iframe-srcdoc">srcdoc</code>
488: document</a>.</p></dd>
1.1 mike 489:
490: <dt>If the <code title="attr-iframe-src"><a href="#attr-iframe-src">src</a></code>
491: attribute is specified but the <code title="attr-iframe-srcdoc"><a href="#attr-iframe-srcdoc">srcdoc</a></code> attribute is not</dt>
492:
493: <dd>
494:
495: <ol><li><p>If the value of the <code title="attr-iframe-src"><a href="#attr-iframe-src">src</a></code> attribute is the empty string,
496: jump to the <i title="">empty</i> step below.</p></li>
497:
498: <li><p><a href="urls.html#resolve-a-url" title="resolve a url">Resolve</a> the value of
499: the <code title="attr-iframe-src"><a href="#attr-iframe-src">src</a></code> attribute, relative
500: to the <code><a href="#the-iframe-element">iframe</a></code> element.</p></li>
501:
502: <li><p>If that is not successful, then jump to the <i title="">empty</i> step below.</p></li>
503:
504: <li><p>If the resulting <a href="urls.html#absolute-url">absolute URL</a> is an
505: <a href="infrastructure.html#ascii-case-insensitive">ASCII case-insensitive</a> match for the string
1.146 mike 506: "<code><a href="urls.html#about:blank">about:blank</a></code>", and the user agent is processing this
1.1 mike 507: <code><a href="#the-iframe-element">iframe</a></code>'s attributes for the first time, then jump to
508: the <i title="">empty</i> step below. (In cases other than the
1.146 mike 509: first time, <code><a href="urls.html#about:blank">about:blank</a></code> is loaded
1.1 mike 510: normally.)</p></li>
511:
1.46 mike 512: <li><p><a href="history.html#navigate">Navigate</a> the element's
1.34 mike 513: <a href="browsers.html#browsing-context">browsing context</a> to the resulting <a href="urls.html#absolute-url">absolute
1.1 mike 514: URL</a>.</p></li>
515:
516: </ol><p><i>Empty</i>: When the steps above require the user agent to
517: jump to the <i title="">empty</i> step, if the user agent is
518: processing this <code><a href="#the-iframe-element">iframe</a></code>'s attributes for the first
519: time, then the user agent must <a href="webappapis.html#queue-a-task">queue a task</a> to
1.66 mike 520: <a href="webappapis.html#fire-a-simple-event">fire a simple event</a> named <code title="event-load">load</code> at the <code><a href="#the-iframe-element">iframe</a></code> element.
521: (After jumping to this step, the above steps are not resumed.)
522: <span class="note">No <code title="event-load">load</code> event
1.146 mike 523: is fired at the <code><a href="urls.html#about:blank">about:blank</a></code> document
1.66 mike 524: itself.</span></p>
1.1 mike 525:
526: </dd>
527:
528: <dt>Otherwise</dt>
529:
530: <dd>
531:
532: <p><a href="webappapis.html#queue-a-task">Queue a task</a> to <a href="webappapis.html#fire-a-simple-event">fire a simple event</a>
533: named <code title="event-load">load</code> at the
534: <code><a href="#the-iframe-element">iframe</a></code> element.</p>
535:
536: </dd>
537:
538: </dl><p>Any <a href="history.html#navigate" title="navigate">navigation</a> required of the user
539: agent in the <a href="#process-the-iframe-attributes">process the <code>iframe</code> attributes</a>
540: algorithm must be completed with the <code><a href="#the-iframe-element">iframe</a></code> element's
541: document's <a href="browsers.html#browsing-context">browsing context</a> as the <a href="history.html#source-browsing-context">source
542: browsing context</a>.</p>
543:
1.8 mike 544: <p>Furthermore, if the <a href="browsers.html#browsing-context">browsing context</a>'s <a href="history.html#session-history">session
1.145 mike 545: history</a> contained only one <code><a href="dom.html#document">Document</a></code> when the
1.8 mike 546: <a href="#process-the-iframe-attributes">process the <code>iframe</code> attributes</a> algorithm
1.146 mike 547: was invoked, and that was the <code><a href="urls.html#about:blank">about:blank</a></code>
1.145 mike 548: <code><a href="dom.html#document">Document</a></code> created when the <a href="browsers.html#browsing-context">browsing context</a>
1.8 mike 549: was created, then any <a href="history.html#navigate" title="navigate">navigation</a>
550: required of the user agent in that algorithm must be completed with
1.46 mike 551: <a href="history.html#replacement-enabled">replacement enabled</a>.</p>
1.149 mike 552:
1.230 mike 553: </div>
554:
555: <p class="note">If, when the element is created, the <code title="attr-iframe-srcdoc"><a href="#attr-iframe-srcdoc">srcdoc</a></code> attribute is not set, and
1.1 mike 556: the <code title="attr-iframe-src"><a href="#attr-iframe-src">src</a></code> attribute is either
557: also not set or set but its value cannot be <a href="urls.html#resolve-a-url" title="resolve a
558: url">resolved</a>, the browsing context will remain at the
1.230 mike 559: initial <code><a href="urls.html#about:blank">about:blank</a></code> page.</p>
560:
561: <p class="note">If the user <a href="history.html#navigate" title="navigate">navigates</a>
1.1 mike 562: away from this page, the <code><a href="#the-iframe-element">iframe</a></code>'s corresponding
563: <code><a href="browsers.html#windowproxy">WindowProxy</a></code> object will proxy new <code><a href="browsers.html#window">Window</a></code>
1.230 mike 564: objects for new <code><a href="dom.html#document">Document</a></code> objects, but the <code title="attr-iframe-src"><a href="#attr-iframe-src">src</a></code> attribute will not change.</p>
565:
566: <div class="impl">
1.9 mike 567:
568: <div class="note">
569:
570: <p><a href="infrastructure.html#remove-an-element-from-a-document" title="remove an element from a document">Removing</a>
1.145 mike 571: an <code><a href="#the-iframe-element">iframe</a></code> from a <code><a href="dom.html#document">Document</a></code> does not cause
1.9 mike 572: its <a href="browsers.html#browsing-context">browsing context</a> to be discarded. Indeed, an
573: <code><a href="#the-iframe-element">iframe</a></code>'s <a href="browsers.html#browsing-context">browsing context</a> can survive its
1.145 mike 574: original parent <code><a href="dom.html#document">Document</a></code> if its <code><a href="#the-iframe-element">iframe</a></code> is
575: moved to another <code><a href="dom.html#document">Document</a></code>.</p>
1.9 mike 576:
1.10 mike 577: <p>On the other hand, if an <code><a href="#the-iframe-element">iframe</a></code> is <a href="infrastructure.html#remove-an-element-from-a-document" title="remove an element from a document">removed</a> from a
1.145 mike 578: <code><a href="dom.html#document">Document</a></code> and is then subsequently garbage collected,
1.10 mike 579: this will likely mean (in the absence of other references) that the
580: <a href="browsers.html#child-browsing-context">child browsing context</a>'s <code><a href="browsers.html#windowproxy">WindowProxy</a></code>
581: object will become eligble for garbage collection, which will then
582: lead to that <a href="browsers.html#browsing-context">browsing context</a> being <a href="browsers.html#a-browsing-context-is-discarded" title="a
583: browsing context is discarded">discarded</a>, which will then
1.145 mike 584: lead to its <code><a href="dom.html#document">Document</a></code> being <a href="browsers.html#discard-a-document" title="discard a
1.9 mike 585: document">discarded</a> also. This happens without notice to any
1.145 mike 586: scripts running in that <code><a href="dom.html#document">Document</a></code>; for example, no
1.9 mike 587: <code title="event-unload">unload</code> events are fired (the
1.10 mike 588: "<a href="history.html#unload-a-document">unload a document</a>" steps are not run).</p>
1.9 mike 589:
590: </div>
591:
1.230 mike 592: </div>
593:
594: <div class="example">
1.1 mike 595:
596: <p>Here a blog uses the <code title="attr-iframe-srcdoc"><a href="#attr-iframe-srcdoc">srcdoc</a></code> attribute in conjunction
597: with the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> and <code title="attr-iframe-seamless"><a href="#attr-iframe-seamless">seamless</a></code> attributes described
598: below to provide users of user agents that support this feature
599: with an extra layer of protection from script injection in the blog
600: post comments:</p>
601:
602: <pre><article>
603: <h1>I got my own magazine!</h1>
604: <p>After much effort, I've finally found a publisher, and so now I
605: have my own magazine! Isn't that awesome?! The first issue will come
606: out in September, and we have articles about getting food, and about
607: getting in boxes, it's going to be great!</p>
608: <footer>
1.145 mike 609: <p>Written by <a href="/users/cap">cap</a>, 1 hour ago.
1.1 mike 610: </footer>
611: <article>
1.145 mike 612: <footer> Thirteen minutes ago, <a href="/users/ch">ch</a> wrote: </footer>
1.33 mike 613: <iframe seamless sandbox srcdoc="<p>did you get a cover picture yet?"></iframe>
1.1 mike 614: </article>
615: <article>
1.145 mike 616: <footer> Nine minutes ago, <a href="/users/cap">cap</a> wrote: </footer>
1.33 mike 617: <iframe seamless sandbox srcdoc="<p>Yeah, you can see it <a href=&quot;/gallery?mode=cover&amp;amp;page=1&quot;>in my gallery</a>."></iframe>
1.1 mike 618: </article>
619: <article>
1.145 mike 620: <footer> Five minutes ago, <a href="/users/ch">ch</a> wrote: </footer>
1.33 mike 621: <iframe seamless sandbox srcdoc="<p>hey that's earl's table.
1.1 mike 622: <p>you should get earl&amp;amp;me on the next cover."></iframe>
623: </article></pre>
624:
625: <p>Notice the way that quotes have to be escaped (otherwise the
1.101 mike 626: <code title="attr-iframe-srcdoc"><a href="#attr-iframe-srcdoc">srcdoc</a></code> attribute would end
627: prematurely), and the way raw ampersands (e.g. in URLs or in prose)
628: mentioned in the sandboxed content have to be <em>doubly</em>
629: escaped — once so that the ampersand is preserved when
630: originally parsing the <code title="attr-iframe-srcdoc"><a href="#attr-iframe-srcdoc">srcdoc</a></code> attribute, and once more
1.1 mike 631: to prevent the ampersand from being misinterpreted when parsing the
632: sandboxed content.</p>
633:
1.230 mike 634: </div>
635:
636: <p class="note">In <a href="syntax.html#syntax">the HTML syntax</a>, authors need only
637: remember to use """ (U+0022) characters to wrap the
638: attribute contents and then to escape all """ (U+0022)
1.1 mike 639: and U+0026 AMPERSAND (&) characters, and to specify the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute, to ensure safe
1.230 mike 640: embedding of content.</p>
641:
642: <p class="note">Due to restrictions of <a href="the-xhtml-syntax.html#the-xhtml-syntax">the XHTML
1.141 mike 643: syntax</a>, in XML the U+003C LESS-THAN SIGN character (<)
644: needs to be escaped as well. In order to prevent <a href="http://www.w3.org/TR/REC-xml/#AVNormalize">attribute-value
1.39 mike 645: normalization</a>, some of XML's whitespace characters —
1.230 mike 646: specifically "tab" (U+0009), "LF" (U+000A), and "CR" (U+000D) — also need to be
647: escaped. <a href="references.html#refsXML">[XML]</a></p>
648:
649: <hr><p>The <dfn id="attr-iframe-name" title="attr-iframe-name"><code>name</code></dfn>
1.1 mike 650: attribute, if present, must be a <a href="browsers.html#valid-browsing-context-name">valid browsing context
651: name</a>. The given value is used to name the <a href="browsers.html#nested-browsing-context">nested
652: browsing context</a>. <span class="impl">When the browsing
653: context is created, if the attribute is present, the <a href="browsers.html#browsing-context-name">browsing
654: context name</a> must be set to the value of this attribute;
655: otherwise, the <a href="browsers.html#browsing-context-name">browsing context name</a> must be set to the
1.230 mike 656: empty string.</span></p>
657:
658: <div class="impl">
1.1 mike 659:
660: <p>Whenever the <code title="attr-iframe-name"><a href="#attr-iframe-name">name</a></code> attribute
661: is set, the nested <a href="browsers.html#browsing-context">browsing context</a>'s <a href="browsers.html#browsing-context-name" title="browsing context name">name</a> must be changed to the new
662: value. If the attribute is removed, the <a href="browsers.html#browsing-context-name">browsing context
663: name</a> must be set to the empty string.</p>
664:
665: <p>When content loads in an <code><a href="#the-iframe-element">iframe</a></code>, after any <code title="event-load">load</code> events are fired within the content
666: itself, the user agent must <a href="webappapis.html#queue-a-task">queue a task</a> to <a href="webappapis.html#fire-a-simple-event">fire
667: a simple event</a> named <code title="event-load">load</code> at
668: the <code><a href="#the-iframe-element">iframe</a></code> element. When content whose <a href="urls.html#url">URL</a>
669: has the <a href="origin-0.html#same-origin">same origin</a> as the <code><a href="#the-iframe-element">iframe</a></code>
1.145 mike 670: element's <code><a href="dom.html#document">Document</a></code> fails to load (e.g. due to a DNS
1.1 mike 671: error, network error, or if the server returned a 4xx or 5xx status
1.146 mike 672: code <a href="urls.html#concept-http-equivalent-codes" title="concept-http-equivalent-codes">or
1.1 mike 673: equivalent</a>), then the user agent must <a href="webappapis.html#queue-a-task">queue a
674: task</a> to <a href="webappapis.html#fire-a-simple-event">fire a simple event</a> named <code title="event-error">error</code> at the element instead. (This event
1.101 mike 675: does not fire for <a href="parsing.html#parse-error" title="parse error">parse errors</a>,
1.1 mike 676: script errors, or any errors for cross-origin resources.)</p>
677:
678: <p>The <a href="webappapis.html#task-source">task source</a> for these <a href="webappapis.html#concept-task" title="concept-task">tasks</a> is the <a href="webappapis.html#dom-manipulation-task-source">DOM manipulation
679: task source</a>.</p>
680:
681: <p class="note">A <code title="event-load">load</code> event is also
682: fired at the <code><a href="#the-iframe-element">iframe</a></code> element when it is created if no
683: other data is loaded in it.</p>
684:
685: <p>When there is an <a href="dom.html#active-parser">active parser</a> in the
686: <code><a href="#the-iframe-element">iframe</a></code>, and when anything in the <code><a href="#the-iframe-element">iframe</a></code> is
1.101 mike 687: <a href="the-end.html#delay-the-load-event" title="delay the load event">delaying the load event</a> of
1.1 mike 688: the <code><a href="#the-iframe-element">iframe</a></code>'s <a href="browsers.html#browsing-context">browsing context</a>'s
689: <a href="browsers.html#active-document">active document</a>, the <code><a href="#the-iframe-element">iframe</a></code> must
1.101 mike 690: <a href="the-end.html#delay-the-load-event">delay the load event</a> of its document.</p>
1.1 mike 691:
692: <p class="note">If, during the handling of the <code title="event-load">load</code> event, the <a href="browsers.html#browsing-context">browsing
1.101 mike 693: context</a> in the <code><a href="#the-iframe-element">iframe</a></code> is again <a href="history.html#navigate" title="navigate">navigated</a>, that will further <a href="the-end.html#delay-the-load-event">delay the
1.1 mike 694: load event</a>.</p>
695:
1.230 mike 696: </div>
697:
698: <hr><p>The <dfn id="attr-iframe-sandbox" title="attr-iframe-sandbox"><code>sandbox</code></dfn>
1.1 mike 699: attribute, when specified, enables a set of extra restrictions on
700: any content hosted by the <code><a href="#the-iframe-element">iframe</a></code>. Its value must be an
1.20 mike 701: <a href="common-microsyntaxes.html#unordered-set-of-unique-space-separated-tokens">unordered set of unique space-separated tokens</a> that are
1.77 mike 702: <a href="infrastructure.html#ascii-case-insensitive">ASCII case-insensitive</a>. The allowed values are
1.1 mike 703: <code title="attr-iframe-sandbox-allow-forms"><a href="#attr-iframe-sandbox-allow-forms">allow-forms</a></code>,
1.77 mike 704: <code title="attr-iframe-sandbox-allow-same-origin"><a href="#attr-iframe-sandbox-allow-same-origin">allow-same-origin</a></code>,
705: <code title="attr-iframe-sandbox-allow-scripts"><a href="#attr-iframe-sandbox-allow-scripts">allow-scripts</a></code>, and
706: <code title="attr-iframe-sandbox-allow-top-navigation"><a href="#attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</a></code>.
707:
708: When the attribute is set, the content is treated as being from a
709: unique <a href="origin-0.html#origin">origin</a>, forms and scripts are disabled, links
710: are prevented from targeting other <a href="browsers.html#browsing-context" title="browsing
1.114 mike 711: context">browsing contexts</a>, and plugins are secured. The
1.1 mike 712: <code title="attr-iframe-sandbox-allow-same-origin"><a href="#attr-iframe-sandbox-allow-same-origin">allow-same-origin</a></code>
713: keyword allows the content to be treated as being from the same
714: origin instead of forcing it into a unique origin, the <code title="attr-iframe-sandbox-allow-top-navigation"><a href="#attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</a></code>
715: keyword allows the content to <a href="history.html#navigate">navigate</a> its
716: <a href="browsers.html#top-level-browsing-context">top-level browsing context</a>, and the <code title="attr-iframe-sandbox-allow-forms"><a href="#attr-iframe-sandbox-allow-forms">allow-forms</a></code> and <code title="attr-iframe-sandbox-allow-scripts"><a href="#attr-iframe-sandbox-allow-scripts">allow-scripts</a></code>
717: keywords re-enable forms and scripts respectively (though scripts
1.230 mike 718: are still prevented from creating popups).</p>
719:
720: <p class="warning">Setting both the
1.77 mike 721: <code title="attr-iframe-sandbox-allow-scripts"><a href="#attr-iframe-sandbox-allow-scripts">allow-scripts</a></code> and
1.1 mike 722: <code title="attr-iframe-sandbox-allow-same-origin"><a href="#attr-iframe-sandbox-allow-same-origin">allow-same-origin</a></code>
723: keywords together when the embedded page has the <a href="origin-0.html#same-origin">same
724: origin</a> as the page containing the <code><a href="#the-iframe-element">iframe</a></code> allows
1.230 mike 725: the embedded page to simply remove the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute.</p>
726:
727: <p class="warning">Sandboxing hostile content is of minimal help if
1.1 mike 728: an attacker can convince the user to just visit the hostile content
729: directly, rather than in the <code><a href="#the-iframe-element">iframe</a></code>. To limit the
730: damage that can be caused by hostile HTML content, it should be
1.230 mike 731: served from a separate dedicated domain.</p>
732:
733: <div class="impl">
1.1 mike 734:
1.46 mike 735:
1.149 mike 736:
1.1 mike 737: <p>While the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code>
738: attribute is specified, the <code><a href="#the-iframe-element">iframe</a></code> element's
739: <a href="browsers.html#nested-browsing-context">nested browsing context</a> must have the flags given in
740: the following list set. In addition, any browsing contexts <a href="browsers.html#nested-browsing-context" title="nested browsing context">nested</a> within an
741: <code><a href="#the-iframe-element">iframe</a></code>, either directly or indirectly, must have all
742: the flags set on them as were set on the <code><a href="#the-iframe-element">iframe</a></code>'s
1.145 mike 743: <code><a href="dom.html#document">Document</a></code>'s <a href="browsers.html#browsing-context">browsing context</a> when the
744: <code><a href="#the-iframe-element">iframe</a></code>'s <code><a href="dom.html#document">Document</a></code> was created.</p>
1.1 mike 745:
746: <dl><dt>The <dfn id="sandboxed-navigation-browsing-context-flag">sandboxed navigation browsing context flag</dfn></dt>
747:
748: <dd>
749:
750: <p>This flag <a href="history.html#sandboxLinks">prevents content from
751: navigating browsing contexts other than the sandboxed browsing
752: context itself</a> (or browsing contexts further nested inside
753: it), and the <a href="browsers.html#top-level-browsing-context">top-level browsing context</a> (which is
754: protected by the <a href="#sandboxed-top-level-navigation-browsing-context-flag">sandboxed top-level navigation browsing
755: context flag</a> defined next).</p>
756:
757: <p>This flag also <a href="browsers.html#sandboxWindowOpen">prevents content
758: from creating new auxiliary browsing contexts</a>, e.g. using the
1.72 mike 759: <code title="attr-hyperlink-target"><a href="links.html#attr-hyperlink-target">target</a></code> attribute, the
1.146 mike 760: <code title="dom-open"><a href="browsers.html#dom-open">window.open()</a></code> method, or the <code title="dom-showModalDialog"><a href="user-prompts.html#dom-showmodaldialog">showModalDialog()</a></code> method.</p>
1.1 mike 761:
762: </dd>
763:
764:
765: <dt>The <dfn id="sandboxed-top-level-navigation-browsing-context-flag">sandboxed top-level navigation browsing context
766: flag</dfn>, unless the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute's value, when
767: <a href="common-microsyntaxes.html#split-a-string-on-spaces" title="split a string on spaces">split on spaces</a>, is
768: found to have the <dfn id="attr-iframe-sandbox-allow-top-navigation" title="attr-iframe-sandbox-allow-top-navigation"><code>allow-top-navigation</code></dfn>
769: keyword set</dt>
770:
771: <dd>
772:
773: <p>This flag <a href="history.html#sandboxLinks">prevents content from
774: navigating their <span>top-level browsing context</span></a>.</p>
775:
776: <p>When the <code title="attr-iframe-sandbox-allow-top-navigation"><a href="#attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</a></code>
777: is set, content can navigate its <a href="browsers.html#top-level-browsing-context">top-level browsing
778: context</a>, but other <a href="browsers.html#browsing-context" title="browsing context">browsing
779: contexts</a> are still protected by the <a href="#sandboxed-navigation-browsing-context-flag">sandboxed
780: navigation browsing context flag</a> defined above.</p>
781:
782: </dd>
783:
784:
785: <dt>The <dfn id="sandboxed-plugins-browsing-context-flag">sandboxed plugins browsing context flag</dfn></dt>
786:
787: <dd>
788:
1.146 mike 789: <p>This flag prevents content from instantiating <a href="infrastructure.html#plugin" title="plugin">plugins</a>, whether using <a href="the-embed-element.html#sandboxPluginEmbed">the <code>embed</code> element</a>, <a href="the-object-element.html#sandboxPluginObject">the <code>object</code> element</a>,
1.101 mike 790: <a href="obsolete.html#sandboxPluginApplet">the <code>applet</code>
1.1 mike 791: element</a>, or through <a href="history.html#sandboxPluginNavigate">navigation</a> of a <a href="browsers.html#nested-browsing-context">nested
1.114 mike 792: browsing context</a>, unless those <a href="infrastructure.html#plugin" title="plugin">plugins</a> can be <a href="infrastructure.html#concept-plugin-secure" title="concept-plugin-secure">secured</a>.</p>
1.1 mike 793:
794: </dd>
795:
796:
797: <dt>The <dfn id="sandboxed-seamless-iframes-flag">sandboxed seamless iframes flag</dfn></dt>
798:
799: <dd>
800:
801: <p>This flag prevents content from using the <code title="attr-iframe-seamless"><a href="#attr-iframe-seamless">seamless</a></code> attribute on
802: descendant <code><a href="#the-iframe-element">iframe</a></code> elements.</p>
803:
804: <p class="note">This prevents a page inserted using the <code title="attr-iframe-sandbox-allow-same-origin"><a href="#attr-iframe-sandbox-allow-same-origin">allow-same-origin</a></code>
805: keyword from using a CSS-selector-based method of probing the DOM
806: of other pages on the same site (in particular, pages that contain
807: user-sensitive information).</p>
808:
1.46 mike 809:
1.1 mike 810:
811: </dd>
812:
813:
814: <dt>The <dfn id="sandboxed-origin-browsing-context-flag">sandboxed origin browsing context flag</dfn>, unless
815: the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute's
816: value, when <a href="common-microsyntaxes.html#split-a-string-on-spaces" title="split a string on spaces">split on
817: spaces</a>, is found to have the <dfn id="attr-iframe-sandbox-allow-same-origin" title="attr-iframe-sandbox-allow-same-origin"><code>allow-same-origin</code></dfn>
818: keyword set</dt>
819:
820: <dd>
821:
822: <p>This flag <a href="origin-0.html#sandboxOrigin">forces content into a unique
823: origin</a>, thus preventing it from accessing other content from
824: the same <a href="origin-0.html#origin">origin</a>.</p>
825:
826: <p>This flag also <a href="dom.html#sandboxCookies">prevents script from
827: reading from or writing to the <code title="dom-document-cookie">document.cookie</code> IDL
1.38 mike 828: attribute</a>, and blocks access to <code title="dom-localStorage">localStorage</code>.
1.1 mike 829:
1.101 mike 830: <a href="references.html#refsWEBSTORAGE">[WEBSTORAGE]</a>
1.1 mike 831:
832: </p>
833:
834: <div class="note">
835:
836: <p>The <code title="attr-iframe-sandbox-allow-same-origin"><a href="#attr-iframe-sandbox-allow-same-origin">allow-same-origin</a></code>
837: attribute is intended for two cases.</p>
838:
839: <p>First, it can be used to allow content from the same site to
840: be sandboxed to disable scripting, while still allowing access to
841: the DOM of the sandboxed content.</p>
842:
843: <p>Second, it can be used to embed content from a third-party
844: site, sandboxed to prevent that site from opening popup windows,
845: etc, without preventing the embedded page from communicating back
846: to its originating site, using the database APIs to store data,
847: etc.</p>
848:
849: </div>
850:
851: </dd>
852:
853:
854: <dt>The <dfn id="sandboxed-forms-browsing-context-flag">sandboxed forms browsing context flag</dfn>, unless
855: the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute's
856: value, when <a href="common-microsyntaxes.html#split-a-string-on-spaces" title="split a string on spaces">split on
857: spaces</a>, is found to have the <dfn id="attr-iframe-sandbox-allow-forms" title="attr-iframe-sandbox-allow-forms"><code>allow-forms</code></dfn>
858: keyword set</dt>
859:
860: <dd>
861:
1.146 mike 862: <p>This flag <a href="form-submission.html#sandboxSubmitBlocked">blocks form
1.1 mike 863: submission</a>.</p>
864:
865: </dd>
866:
867:
868: <dt>The <dfn id="sandboxed-scripts-browsing-context-flag">sandboxed scripts browsing context flag</dfn>, unless
869: the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute's
870: value, when <a href="common-microsyntaxes.html#split-a-string-on-spaces" title="split a string on spaces">split on
871: spaces</a>, is found to have the <dfn id="attr-iframe-sandbox-allow-scripts" title="attr-iframe-sandbox-allow-scripts"><code>allow-scripts</code></dfn>
872: keyword set</dt>
873:
874: <dd>
875:
876: <p>This flag <a href="webappapis.html#sandboxScriptBlocked">blocks script
877: execution</a>.</p>
878:
879: </dd>
880:
881:
882: <dt>The <dfn id="sandboxed-automatic-features-browsing-context-flag">sandboxed automatic features browsing context
883: flag</dfn>, unless the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute's value, when
884: <a href="common-microsyntaxes.html#split-a-string-on-spaces" title="split a string on spaces">split on spaces</a>, is
885: found to have the <code title="attr-iframe-sandbox-allow-scripts"><a href="#attr-iframe-sandbox-allow-scripts">allow-scripts</a></code>
886: keyword (defined above) set</dt>
887:
888: <dd>
889:
890: <p>This flag blocks features that trigger automatically, such as
1.146 mike 891: <a href="media-elements.html#attr-media-autoplay" title="attr-media-autoplay">automatically playing a
892: video</a> or <a href="attributes-common-to-form-controls.html#attr-fe-autofocus" title="attr-fe-autofocus">automatically
1.1 mike 893: focusing a form control</a>. It is relaxed by the same flag as
894: scripts, because when scripts are enabled these features are
895: trivially possible anyway, and it would be unfortunate to force
896: authors to use script to do them when sandboxed rather than
897: allowing them to use the declarative features.</p>
898:
899: </dd>
900:
901: </dl><p>These flags must not be set unless the conditions listed above
902: define them as being set.</p>
903:
904: <p class="warning">These flags only take effect when the
905: <a href="browsers.html#nested-browsing-context">nested browsing context</a> of the <code><a href="#the-iframe-element">iframe</a></code> is
1.15 mike 906: <a href="history.html#navigate" title="navigate">navigated</a>. Removing them, or removing
1.1 mike 907: the entire <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code>
908: attribute, has no effect on an already-loaded page.</p>
909:
1.230 mike 910: </div>
911:
912: <div class="example">
1.1 mike 913:
914: <p>In this example, some completely-unknown, potentially hostile,
915: user-provided HTML content is embedded in a page. Because it is
1.127 mike 916: served from a separate domain, it is affected by all the normal
917: cross-site restrictions. In addition, the embedded page has
918: scripting disabled, plugins disabled, forms disabled, and it cannot
919: navigate any frames or windows other than itself (or any frames or
920: windows it itself embeds).</p>
1.1 mike 921:
922: <pre><p>We're not scared of you! Here is your content, unedited:</p>
1.127 mike 923: <iframe sandbox src="http://usercontent.example.net/getusercontent.cgi?id=12193"></iframe></pre>
1.1 mike 924:
1.127 mike 925: <p class="warning">It is important to use a separate domain so that
926: if the attacker convinces the user to visit that page directly, the
927: page doesn't run in the context of the site's origin, which would
928: make the user vulnerable to any attack found in the page.</p>
1.1 mike 929:
1.230 mike 930: </div>
931:
932: <div class="example">
1.1 mike 933:
934: <p>In this example, a gadget from another site is embedded. The
935: gadget has scripting and forms enabled, and the origin sandbox
936: restrictions are lifted, allowing the gadget to communicate with
937: its originating server. The sandbox is still useful, however, as it
938: disables plugins and popups, thus reducing the risk of the user
939: being exposed to malware and other annoyances.</p>
940:
941: <pre><iframe sandbox="allow-same-origin allow-forms allow-scripts"
942: src="http://maps.example.com/embedded.html"></iframe></pre>
943:
1.230 mike 944: </div>
945:
946: <div class="example">
1.1 mike 947:
948: <p>Suppose a file A contained the following fragment:</p>
949:
950: <pre><iframe sandbox="allow-same-origin allow-forms" src=B></iframe></pre>
951:
952: <p>Suppose that file B contained an iframe also:</p>
953:
954: <pre><iframe sandbox="allow-scripts" src=C></iframe></pre>
955:
956: <p>Further, suppose that file C contained a link:</p>
957:
958: <pre><a href=D>Link</a></pre>
959:
960: <p>For this example, suppose all the files were served as
1.101 mike 961: <code><a href="iana.html#text-html">text/html</a></code>.</p>
1.1 mike 962:
963: <p>Page C in this scenario has all the sandboxing flags
964: set. Scripts are disabled, because the <code><a href="#the-iframe-element">iframe</a></code> in A has
965: scripts disabled, and this overrides the <code title="attr-iframe-sandbox-allow-scripts"><a href="#attr-iframe-sandbox-allow-scripts">allow-scripts</a></code>
966: keyword set on the <code><a href="#the-iframe-element">iframe</a></code> in B. Forms are also
967: disabled, because the inner <code><a href="#the-iframe-element">iframe</a></code> (in B) does not
968: have the <code title="attr-iframe-sandbox-allow-forms"><a href="#attr-iframe-sandbox-allow-forms">allow-forms</a></code> keyword
969: set.</p>
970:
1.142 mike 971: <p>Suppose now that a script in A removes all the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attributes in A
972: and B. This would change nothing
973: immediately. If the user clicked the link in C, loading page D into
974: the <code><a href="#the-iframe-element">iframe</a></code> in B, page D would now act as if the
975: <code><a href="#the-iframe-element">iframe</a></code> in B had the <code title="attr-iframe-sandbox-allow-same-origin"><a href="#attr-iframe-sandbox-allow-same-origin">allow-same-origin</a></code>
1.1 mike 976: and <code title="attr-iframe-sandbox-allow-forms"><a href="#attr-iframe-sandbox-allow-forms">allow-forms</a></code> keywords
977: set, because that was the state of the <a href="browsers.html#nested-browsing-context">nested browsing
978: context</a> in the <code><a href="#the-iframe-element">iframe</a></code> in A when page B was
979: loaded.</p>
980:
981: <p>Generally speaking, dynamically removing or changing the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute is
982: ill-advised, because it can make it quite hard to reason about what
983: will be allowed and what will not.</p>
984:
1.230 mike 985: </div>
986:
987: <p class="note">Potentially hostile files should not be served from
1.127 mike 988: the same server as the file containing the <code><a href="#the-iframe-element">iframe</a></code>
989: element. Using a different domain ensures that scripts in the files
990: are unable to attack the site, even if the user is tricked into
1.230 mike 991: visiting those pages directly, without the protection of the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute.</p>
992:
993: <p class="warning">If the <code title="attr-iframe-sandbox-allow-scripts"><a href="#attr-iframe-sandbox-allow-scripts">allow-scripts</a></code>
1.1 mike 994: keyword is set along with <code title="attr-iframe-sandbox-allow-same-origin"><a href="#attr-iframe-sandbox-allow-same-origin">allow-same-origin</a></code>
995: keyword, and the file is from the <a href="origin-0.html#same-origin">same origin</a> as the
1.145 mike 996: <code><a href="#the-iframe-element">iframe</a></code>'s <code><a href="dom.html#document">Document</a></code>, then a script in the
1.1 mike 997: "sandboxed" iframe could just reach out, remove the <code title="attr-iframe-sandbox"><a href="#attr-iframe-sandbox">sandbox</a></code> attribute, and then
998: reload itself, effectively breaking out of the sandbox
1.230 mike 999: altogether.</p>
1000:
1001:
1002: <hr><p>The <dfn id="attr-iframe-seamless" title="attr-iframe-seamless"><code>seamless</code></dfn>
1.1 mike 1003: attribute is a <a href="common-microsyntaxes.html#boolean-attribute">boolean attribute</a>. When specified, it
1004: indicates that the <code><a href="#the-iframe-element">iframe</a></code> element's <a href="browsers.html#browsing-context">browsing
1005: context</a> is to be rendered in a manner that makes it appear to
1006: be part of the containing document (seamlessly included in the
1007: parent document). <span class="impl">Specifically, when the
1008: attribute is set on an <code><a href="#the-iframe-element">iframe</a></code> element whose owner
1.145 mike 1009: <code><a href="dom.html#document">Document</a></code>'s <a href="browsers.html#browsing-context">browsing context</a> did not have
1.1 mike 1010: the <a href="#sandboxed-seamless-iframes-flag">sandboxed seamless iframes flag</a> set when that
1.145 mike 1011: <code><a href="dom.html#document">Document</a></code> was created, and while either the
1.1 mike 1012: <a href="browsers.html#browsing-context">browsing context</a>'s <a href="browsers.html#active-document">active document</a> has the
1013: <a href="origin-0.html#same-origin">same origin</a> as the <code><a href="#the-iframe-element">iframe</a></code> element's
1014: document, or the <a href="browsers.html#browsing-context">browsing context</a>'s <a href="browsers.html#active-document">active
1015: document</a>'s <em><a href="dom.html#the-document-s-address" title="the document's
1016: address">address</a></em> has the <a href="origin-0.html#same-origin">same origin</a> as the
1.33 mike 1017: <code><a href="#the-iframe-element">iframe</a></code> element's document, or the <a href="browsers.html#browsing-context">browsing
1018: context</a>'s <a href="browsers.html#active-document">active document</a> is <a href="#an-iframe-srcdoc-document">an
1019: <code>iframe</code> <code title="attr-iframe-srcdoc">srcdoc</code>
1.230 mike 1020: document</a>, the following requirements apply:</span></p>
1021:
1022: <div class="impl">
1.1 mike 1023:
1.13 mike 1024: <ul><li><p>The user agent must set the <dfn id="seamless-browsing-context-flag">seamless browsing context
1025: flag</dfn> to true for that <a href="browsers.html#browsing-context">browsing context</a>. This
1026: will <a href="history.html#seamlessLinks">cause links to open in the parent
1027: browsing context</a> unless an <a href="browsers.html#explicit-self-navigation-override">explicit self-navigation
1028: override</a> is used (<code title="">target="_self"</code>).</p></li>
1.1 mike 1029:
1030: <li><p>In a CSS-supporting user agent: the user agent must add all
1031: the style sheets that apply to the <code><a href="#the-iframe-element">iframe</a></code> element to
1032: the cascade of the <a href="browsers.html#active-document">active document</a> of the
1033: <code><a href="#the-iframe-element">iframe</a></code> element's <a href="browsers.html#nested-browsing-context">nested browsing context</a>,
1034: at the appropriate cascade levels, before any style sheets
1035: specified by the document itself.</p></li>
1036:
1037: <li><p>In a CSS-supporting user agent: the user agent must, for the
1038: purpose of CSS property inheritance only, treat the root element of
1039: the <a href="browsers.html#active-document">active document</a> of the <code><a href="#the-iframe-element">iframe</a></code>
1040: element's <a href="browsers.html#nested-browsing-context">nested browsing context</a> as being a child of
1041: the <code><a href="#the-iframe-element">iframe</a></code> element. (Thus inherited properties on the
1042: root element of the document in the <code><a href="#the-iframe-element">iframe</a></code> will
1043: inherit the computed values of those properties on the
1044: <code><a href="#the-iframe-element">iframe</a></code> element instead of taking their initial
1045: values.)</p></li>
1046:
1047: <li><p>In visual media, in a CSS-supporting user agent: the user agent
1048: should set the intrinsic width of the <code><a href="#the-iframe-element">iframe</a></code> to the
1049: width that the element would have if it was a non-replaced
1050: block-level element with 'width: auto'.</p></li>
1051:
1052: <li><p>In visual media, in a CSS-supporting user agent: the user
1053: agent should set the intrinsic height of the <code><a href="#the-iframe-element">iframe</a></code> to
1054: the height of the bounding box around the content rendered in the
1055: <code><a href="#the-iframe-element">iframe</a></code> at its current width (as given in the previous
1056: bullet point), as it would be if the scrolling position was such
1057: that the top of the viewport for the content rendered in the
1058: <code><a href="#the-iframe-element">iframe</a></code> was aligned with the origin of that content's
1059: canvas.</p></li>
1060:
1061: <li>
1062:
1063: <p>In visual media, in a CSS-supporting user agent: the user agent
1064: must force the height of the initial containing block of the
1065: <a href="browsers.html#active-document">active document</a> of the <a href="browsers.html#nested-browsing-context">nested browsing
1066: context</a> of the <code><a href="#the-iframe-element">iframe</a></code> to zero.</p>
1067:
1068: <p class="note">This is intended to get around the otherwise
1069: circular dependency of percentage dimensions that depend on the
1070: height of the containing block, thus affecting the height of the
1071: document's bounding box, thus affecting the height of the
1072: viewport, thus affecting the size of the initial containing
1073: block.</p>
1074:
1075: </li>
1076:
1077: <li><p>In speech media, the user agent should render the <a href="browsers.html#nested-browsing-context">nested
1078: browsing context</a> without announcing that it is a separate
1079: document.</p></li>
1080:
1081: <li>
1082:
1083: <p>User agents should, in general, act as if the <a href="browsers.html#active-document">active
1084: document</a> of the <code><a href="#the-iframe-element">iframe</a></code>'s <a href="browsers.html#nested-browsing-context">nested browsing
1085: context</a> was part of the document that the
1.35 mike 1086: <code><a href="#the-iframe-element">iframe</a></code> is in, if any.</p>
1.1 mike 1087:
1088: <p class="example">For example if the user agent supports listing
1089: all the links in a document, links in "seamlessly" nested
1090: documents would be included in that list without being
1091: significantly distinguished from links in the document itself.</p>
1092:
1093: </li>
1094:
1095: </ul><p>If the attribute is not specified, or if the <a href="origin-0.html#origin">origin</a>
1096: conditions listed above are not met, then the user agent should
1097: render the <a href="browsers.html#nested-browsing-context">nested browsing context</a> in a manner that is
1098: clearly distinguishable as a separate <a href="browsers.html#browsing-context">browsing context</a>,
1099: and the <a href="#seamless-browsing-context-flag">seamless browsing context flag</a> must be set to
1100: false for that <a href="browsers.html#browsing-context">browsing context</a>.</p>
1101:
1102: <p class="warning">It is important that user agents recheck the
1103: above conditions whenever the <a href="browsers.html#active-document">active document</a> of the
1104: <a href="browsers.html#nested-browsing-context">nested browsing context</a> of the <code><a href="#the-iframe-element">iframe</a></code>
1105: changes, such that the <a href="#seamless-browsing-context-flag">seamless browsing context flag</a>
1106: gets unset if the <a href="browsers.html#nested-browsing-context">nested browsing context</a> is <a href="history.html#navigate" title="navigate">navigated</a> to another origin.</p>
1107:
1.230 mike 1108: </div>
1109:
1110: <p class="note">The attribute can be set or removed dynamically,
1111: with the rendering updating in tandem.</p>
1112:
1113: <div class="example">
1.1 mike 1114:
1115: <p>In this example, the site's navigation is embedded using a
1116: client-side include using an <code><a href="#the-iframe-element">iframe</a></code>. Any links in the
1117: <code><a href="#the-iframe-element">iframe</a></code> will, in new user agents, be automatically
1118: opened in the <code><a href="#the-iframe-element">iframe</a></code>'s parent browsing context; for
1.146 mike 1119: legacy user agents, the site could also include a <code><a href="the-base-element.html#the-base-element">base</a></code>
1120: element with a <code title="attr-base-target"><a href="the-base-element.html#attr-base-target">target</a></code>
1.1 mike 1121: attribute with the value <code title="">_parent</code>. Similarly,
1122: in new user agents the styles of the parent page will be
1123: automatically applied to the contents of the frame, but to support
1124: legacy user agents authors might wish to include the styles
1125: explicitly.</p>
1126:
1127: <pre><nav><iframe seamless src="nav.include.html"></iframe></nav></pre>
1128:
1.230 mike 1129: </div>
1130:
1131:
1132: <hr><p>The <code><a href="#the-iframe-element">iframe</a></code> element supports <a href="dimension-attributes.html#dimension-attributes">dimension
1.1 mike 1133: attributes</a> for cases where the embedded content has specific
1.230 mike 1134: dimensions (e.g. ad units have well-defined dimensions).</p>
1135:
1136: <p>An <code><a href="#the-iframe-element">iframe</a></code> element never has <a href="content-models.html#fallback-content">fallback
1.1 mike 1137: content</a>, as it will always create a nested <a href="browsers.html#browsing-context">browsing
1138: context</a>, regardless of whether the specified initial contents
1.230 mike 1139: are successfully used.</p>
1140:
1141: <p>Descendants of <code><a href="#the-iframe-element">iframe</a></code> elements represent
1.1 mike 1142: nothing. (In legacy user agents that do not support
1143: <code><a href="#the-iframe-element">iframe</a></code> elements, the contents would be parsed as markup
1.230 mike 1144: that could act as fallback content.)</p>
1145:
1146: <p id="iframe-content-model">When used in <a href="infrastructure.html#html-documents">HTML
1.18 mike 1147: documents</a>, the allowed content model of <code><a href="#the-iframe-element">iframe</a></code>
1.101 mike 1148: elements is text, except that invoking the <a href="the-end.html#html-fragment-parsing-algorithm">HTML fragment
1.18 mike 1149: parsing algorithm</a> with the <code><a href="#the-iframe-element">iframe</a></code> element as the
1.101 mike 1150: <var title="concept-frag-parse-context"><a href="the-end.html#concept-frag-parse-context">context</a></var> element and
1.48 mike 1151: the text contents as the <var title="">input</var> must result in a
1152: list of nodes that are all <a href="content-models.html#phrasing-content">phrasing content</a>, with no
1.101 mike 1153: <a href="parsing.html#parse-error" title="parse error">parse errors</a> having occurred, with
1.146 mike 1154: no <code><a href="the-script-element.html#the-script-element">script</a></code> elements being anywhere in the list or as
1.18 mike 1155: descendants of elements in the list, and with all the elements in
1156: the list (including their descendants) being themselves
1.230 mike 1157: conforming.</p>
1158:
1159: <p>The <code><a href="#the-iframe-element">iframe</a></code> element must be empty in <a href="infrastructure.html#xml-documents">XML
1160: documents</a>.</p>
1161:
1162: <p class="note">The <a href="parsing.html#html-parser">HTML parser</a> treats markup inside
1163: <code><a href="#the-iframe-element">iframe</a></code> elements as text.</p>
1164:
1165: <div class="impl">
1.1 mike 1166:
1167: <p>The IDL attributes <dfn id="dom-iframe-src" title="dom-iframe-src"><code>src</code></dfn>, <dfn id="dom-iframe-srcdoc" title="dom-iframe-srcdoc"><code>srcdoc</code></dfn>, <dfn id="dom-iframe-name" title="dom-iframe-name"><code>name</code></dfn>, <dfn id="dom-iframe-sandbox" title="dom-iframe-sandbox"><code>sandbox</code></dfn>, and <dfn id="dom-iframe-seamless" title="dom-iframe-seamless"><code>seamless</code></dfn> must
1168: <a href="common-dom-interfaces.html#reflect">reflect</a> the respective content attributes of the same
1169: name.</p>
1170:
1171: <p>The <dfn id="dom-iframe-contentdocument" title="dom-iframe-contentDocument"><code>contentDocument</code></dfn>
1.145 mike 1172: IDL attribute must return the <code><a href="dom.html#document">Document</a></code> object of the
1.1 mike 1173: <a href="browsers.html#active-document">active document</a> of the <code><a href="#the-iframe-element">iframe</a></code> element's
1.204 mike 1174: <a href="browsers.html#nested-browsing-context">nested browsing context</a>, if any, or null otherwise.</p>
1.1 mike 1175:
1176: <p>The <dfn id="dom-iframe-contentwindow" title="dom-iframe-contentWindow"><code>contentWindow</code></dfn>
1177: IDL attribute must return the <code><a href="browsers.html#windowproxy">WindowProxy</a></code> object of the
1178: <code><a href="#the-iframe-element">iframe</a></code> element's <a href="browsers.html#nested-browsing-context">nested browsing
1.204 mike 1179: context</a>, if any, or null otherwise.</p>
1.1 mike 1180:
1.230 mike 1181: </div>
1182:
1183: <div class="example">
1.1 mike 1184:
1185: <p>Here is an example of a page using an <code><a href="#the-iframe-element">iframe</a></code> to
1186: include advertising from an advertising broker:</p>
1187:
1188: <pre><iframe src="http://ads.example.com/?customerid=923513721&amp;format=banner"
1189: width="468" height="60"></iframe></pre>
1190:
1.230 mike 1191: </div>
1192:
1193:
1194:
1195:
1196: </body></html>
Webmaster
![[BACK]](/https/dev.w3.org/cvsweb/icons/back.gif){kind=icon}
Return to the-iframe-element.html CVS log ![[TXT]](/https/dev.w3.org/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/https/dev.w3.org/cvsweb/icons/dir.gif){kind=icon}
Up to [Public] / html5 / spec