W3C home > Mailing lists > Public > public-html@w3.org > February 2009

Re: The <iframe> element and sandboxing ideas

From: Ian Hickson <ian@hixie.ch>
Date: Fri, 13 Feb 2009 21:54:51 +0000 (UTC)
To: Martin Atkins <mart@degeneration.co.uk>
Cc: HTMLWG <public-html@w3.org>, whatwg <whatwg@whatwg.org>
Message-ID: <Pine.LNX.4.62.0902132153210.28232@hixie.dreamhostps.com>


(Please pick one mailing list when replying, so as to reduce 
cross-posting.)

On Thu, 22 May 2008, Martin Atkins wrote:
> > 
> >  * I've added a sandbox="" attribute to <iframe>, which by default
> >    disables a number of features and takes a space-separated list of
> >    features to re-enable:
> 
> Unless I'm missing something, this attribute is useless in practice 
> because legacy browsers will not impose the restrictions. This means 
> that as long as legacy browsers exist (i.e. forever) server-side 
> filtering must still be employed to duplicate the effects of the 
> sandbox.
> 
> One alternative would be to use a different element name so that 
> fallback content can be provided for legacy browsers. In the short term, 
> this is likely to be something like this:
> 
> <sandbox src="/comments/blah">
> <iframe src="/comments/blah?do-security-filtering=1"></iframe>
> </sandbox>
> 
> Once a large percentage of browsers support <sandbox> authors can start 
> to be less accommodating with their fallback content, either by 
> filtering out HTML tags entirely (which I'd assume is easier than just 
> filtering out script) or at the extreme just setting the fallback 
> content to be "Your browser is not supported".

One can just do:

   <iframe sandbox src="/comments/blah?do-security-filtering=1"></iframe>

The "sandbox" feature just provides one more level of defence in depth, 
and is not intended to be a complete security solution.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 13 February 2009 22:06:53 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:16:31 GMT