I know it may not be important to use sandbox in the task “Multimedia and embedding 3”. However, I try using it because I’ve seen in this module which looks like that is recommended. What I want do ask is about allow-same-origin. If I read MDN iframe page correctly, when I use sandbox and I don’t use the value,
the resource is treated as being from a special origin that always fails the same-origin policy
What I’m not sure is what “resource” and “a special origin” means. That means, which word means the place I try to embed things such as video and which word means the place such as YouTube.
Let’s say you have a website and you use an iframe to embed tweets from Twitter. The “resource” is what you embed with the src attribute of the iframe. In this case it would be something starting with https://twitter.com/…
If you don’t use “sandbox” the iframe has https://twitter.com as its origin. This means the Twitter code you embed has for example access to the Twitter cookies as if you would normally open Twitter in its own tab. Now, when we use “sandbox” on the iframe the embed Twitter content won’t have https://twitter.com as its origin but a “special origin”. Think of the “special origin” as a domain that doesn’t exist like "https://this-has-nothing-to-do-with-twitter.com. As a consequence your embedded Twitter content can’t access Twitter cookies because they are different origins.
When you add allow-same-origin your embedded content gets its original origin back (https://twitter.com) and can again read the Twitter cookies while still being in the sandbox.
You gave me a really helpful explanation. I think, your message improved/corrected my understanding, especially about why special origin fails what is expressed as ”same-origin policy"( and probably why the origin is expressed as special). I appreciate your help.