Update napplet iframe sandbox attributes

dskvr · web-flow · commit 3b520fc926bc · 2026-04-06T20:34:23.000+02:00
Removed 'allow-popups' from napplet iframe sandbox attributes.
diff --git a/5D.md b/5D.md
@@ -26,7 +26,7 @@ Communication uses `postMessage`. Napplet to shell: `window.parent.postMessage(m
 
 Napplet iframes MUST use this sandbox attribute:
 
-    allow-scripts allow-forms allow-popups allow-modals allow-downloads
+    allow-scripts allow-forms allow-modals allow-downloads
 
 The `allow-same-origin` token MUST NOT be present. Shells MAY add additional sandbox tokens as needed. Napplets have no access to `localStorage`, `sessionStorage`, `IndexedDB`, direct WebSocket connections, or `window.nostr`. All storage, signing, and relay access is proxied through the shell.
 
