W3C home > Mailing lists > Public > public-html@w3.org > May 2008

Re: The <iframe> element and sandboxing ideas

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 22 May 2008 05:22:07 +0000 (UTC)
To: Andrew Fedoniouk <news@terrainformatica.com>
Cc: HTMLWG <public-html@w3.org>
Message-ID: <Pine.LNX.4.62.0805220520160.12907@hixie.dreamhostps.com>

On Wed, 21 May 2008, Andrew Fedoniouk wrote:
>
> Ian Hickson wrote:
> > 
> > Summary:
> > 
> >  * I've added a sandbox="" attribute to <iframe>, which by default
> >    disables a number of features and takes a space-separated list of
> >    features to re-enable:
> > 
> ...
> 
> Makes sense, Ian.
> 
> Additionally to this, what about adding <meta> tag that disables or limits
> features of the page if it is running inside <frame> or <iframe>?
> 
> Say something like this:
> 
> <html>
>   <head>
>     <meta name="allowed-context" value="standalone-only" />
>   </head>
>   ...
> </html>
> 
> That may prevent some types of malicious uses.

There have been proposals along these lines before, e.g. 
   http://www.gerv.net/security/content-restrictions/

I recommend developing these ideas independently and getting 
implementation experience, since they don't need HTML-specific syntax and 
could apply to other vocabularies as well.

Cheers,
-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 22 May 2008 05:22:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:16:17 GMT