@jaffathecake I'm desperately keen on learning the...

@jaffathecake I'm desperately keen on learning the true ins and outs of that, but I've found detailed documentation (including browser support) on all of the options you can stuff in that sandbox attribute frustratingly difficult to locate

Like 26 October at 5:21 | Open on fedi.simonwillison.net

5 comments

Jake Archibald

@simon the table at the bottom of https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe is decent

26 October at 14:41 | Open on mastodon.social

Simon Willison

@jaffathecake it's the best I've seen but it still leaves me with so many questions... how good is browser support for each of those allowX things? What do browser security experts advise in terms of using them?

I'm really paranoid :/

26 October at 14:45 | Open on fedi.simonwillison.net

Jake Archibald

@simon the browser support for the various allow features is in the table at the end of the page

26 October at 14:49 | Open on mastodon.social

Simon Willison

@jaffathecake wow I missed that! Thank you, this helps a LOT

26 October at 14:51 | Open on fedi.simonwillison.net

Frederik Braun �

@simon @jaffathecake if you just want the SVG displayed, put them in an <img> tag. Otherwise, your favorite sanitizer library DOMPurify has great SVG support. (Iframe sandbox works really great too!!)

26 October at 15:07 | Open on social.security.plumbing

Go Up