W3C home > Mailing lists > Public > public-html@w3.org > February 2009

Re: [whatwg] The <iframe> element and sandboxing ideas

From: Adam Barth <whatwg@adambarth.com>
Date: Fri, 13 Feb 2009 15:50:42 -0800
Message-ID: <7789133a0902131550l33a5d69cgaaf456cf1c92f097@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: Boris Zbarsky <bzbarsky@mit.edu>, whatwg <whatwg@whatwg.org>, HTMLWG <public-html@w3.org> 
On Fri, Feb 13, 2009 at 3:06 PM, Ian Hickson <ian@hixie.ch> wrote:
> Indeed. If someone can come up with a way of making this work in legacy
> UAs, I'd certainly be happy to change the spec to do that.

Here's a suggestion.  When requesting the contents of a sandboxed
iframe, send an HTTP header that contains the sandbox policy:

X-HTML-Sandbox-Policy: allow-forms, allow-scripts

Servers can decide not to serve untrusted content if they don't see a
sandbox policy they like.

Adam
Received on Saturday, 14 February 2009 14:32:44 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:40:28 GMT