W3C home > Mailing lists > Public > public-html@w3.org > May 2008

Re: [whatwg] The <iframe> element and sandboxing ideas

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Thu, 22 May 2008 22:19:12 -0500
Message-ID: <483637B0.3080209@mit.edu>
To: Kristof Zelechovski <giecrilj@stegny.2a.pl>
CC: "'Ian Hickson'" <ian@hixie.ch>, public-webapi@w3.org, "'whatwg'" <whatwg@whatwg.org>, "'HTMLWG'" <public-html@w3.org>

Kristof Zelechovski wrote:
> 1. Nested browsing contexts in a sandboxed frame cannot be created
> dynamically but they can be defined by the inner markup.

There was no mention of "dynamically" in Ian's proposal.  My assumption 
was that "cannot create browsing contexts" meant just that.  If it 
doesn't, the wording needs some changes.

> 2. If the frame is not allowed to execute scripts, setting location to
> script should have no effect.

OK.  Again, that was not clear in the original proposal.

> 4. Percentage in height scales to the container's height, not to the initial
> dimensions of the current element.  It is an error if the container's height
> is left implicit

It's not an error in CSS.  Or are you suggesting a different algorithm?

> or if the sum of percentages exceeds 100%.

Again, not a problem in CSS.  Percentages of auto just get treated as 
auto.  If you're suggesting a totally different algorithm, it needs a 
lot of fleshing out.

> 5. The argument against SANDBOX is that the user could inject /SANDBOX.  The
> argument against code attribute is that the user could inject a quote.
> Aren't these similar enough to reconsider SANDBOX?  

SANDBOX and the non-base64 attribute thing seem pretty similar in a lot 
of ways to me, except that the iframe (having a separate Window and 
such) might be easier to secure in existing implementations.

-Boris
Received on Friday, 23 May 2008 03:20:28 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:38:55 UTC