W3C home > Mailing lists > Public > public-html@w3.org > May 2009

RE: HTML interpreter vs. HTML user agent

From: Ian Hickson <ian@hixie.ch>
Date: Sun, 31 May 2009 17:58:14 +0000 (UTC)
To: Larry Masinter <masinter@adobe.com>
Cc: HTML WG <public-html@w3.org>
Message-ID: <Pine.LNX.4.62.0905311754460.11443@hixie.dreamhostps.com>
On Sun, 31 May 2009, Larry Masinter wrote:
> About Safari's feed reader, Maciej wrote:
> 
> > 2) We can also display a user-selected collection of feeds as one  
> > document, again displayed as HTML.
> > 3) We don't execute any script that came from the feed in the context  
> > of generated HTML document. At the very least due to point #2 this  
> > would be insecure.
> > 4) We don't let any web page access the contents of the generated HTML  
> > document via script.
> 
> Doesn't this somehow create a "restricted HTML" which is allowed in
> a feed? The HTML in a feed can't be scripted at all? Or the scripts
> can't access the HTML of their subsection?
> 
> I was wondering how HTML-in-webmail could work, since the HTML of
> the mail needs to be embedded in the HTML of the webmail client itself.
> 
> Where in the HTML spec is this addressed?

Just turning off scripting is just a matter of setting "scripting is 
disabled":

   http://www.whatwg.org/specs/web-apps/current-work/#concept-bc-script

One could leverage the sandbox features to disable forms, plugins, 
navigation of other browsing contexts, and to make the origin appear to be 
a unique origin:

   http://www.whatwg.org/specs/web-apps/current-work/#attr-iframe-sandbox

...though that's not been requested by implementors so far.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Sunday, 31 May 2009 17:58:50 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:39:03 UTC