:memo: Notice on `sandbox` attribute.

author Cheng Zhao <zcbenz@gmail.com>

Tue, 4 Mar 2014 13:34:14 +0000 (21:34 +0800)

committer Cheng Zhao <zcbenz@gmail.com>

Tue, 4 Mar 2014 13:44:15 +0000 (21:44 +0800)
author Cheng Zhao <zcbenz@gmail.com>
Tue, 4 Mar 2014 13:34:14 +0000 (21:34 +0800)
committer Cheng Zhao <zcbenz@gmail.com>
Tue, 4 Mar 2014 13:44:15 +0000 (21:44 +0800)
diff --git a/docs/api/browser/browser-window.md b/docs/api/browser/browser-window.md

index ce01915..43ef062 100644 (file)
--- a/docs/api/browser/browser-window.md
+++ b/docs/api/browser/browser-window.md
@@ -66,6 +66,14 @@ An example of enable node integration in iframe with `node-integration` set to
  <iframe src="http://jandan.net"></iframe>
  ```
  
+And you should also notice that the iframes can have access to parent window's
+javascript objects via `window.parent`, so in order to grant complete security
+from iframes, you should add `sandbox` attribute to the iframes:
+
+```html
+<iframe sandbox="allow-scripts" src="http://bbs.seu.edu.cn"></iframe>
+```
+
  ### Event: 'page-title-updated'
  
  * `event` Event
author	Cheng Zhao <zcbenz@gmail.com>
	Tue, 4 Mar 2014 13:34:14 +0000 (21:34 +0800)
committer	Cheng Zhao <zcbenz@gmail.com>
	Tue, 4 Mar 2014 13:44:15 +0000 (21:44 +0800)