W3C home > Mailing lists > Public > public-html@w3.org > January 2010

Re: text/sandboxed-html

From: <sird@rckc.at>
Date: Wed, 13 Jan 2010 10:20:01 +0800
Message-ID: <8ba534861001121820u1a4313bdpb21d65ef0d18e399@mail.gmail.com>
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: Ian Hickson <ian@hixie.ch>, public-html@w3.org, public-web-security@w3.org
btw, I have one question

<iframe sandbox-src="javascript:'in which context does this run?';">

if it says:

<iframe sandbox-src="javascript:document.cookie;">

it prints the host's site cookie?
-- Eduardo
http://www.sirdarckcat.net/

Sent from Hangzhou, 33, China

On Wed, Jan 13, 2010 at 10:18 AM, sird@rckc.at <sird@rckc.at> wrote:

> this is a great idea! but I think that legacy browsers will prompt a
> <download file> dialog if they dont support it.
>
> why not putting the sandboxed URL inside the sandbox attribute? anyway,
> it's just a suggestion, the new mime type is a great idea, now sandbox makes
> sense!
>
> <iframe sandbox="http://thesite.com/thesandboxed.html"
> sandboxsomething="no-scripts no-frames">
>
> Greetings!!
> -- Eduardo
> http://www.sirdarckcat.net/
>
> Sent from Hangzhou, 33, China
>
> On Wed, Jan 13, 2010 at 10:08 AM, Roy T. Fielding <fielding@gbiv.com>wrote:
>
>> On Jan 12, 2010, at 5:51 PM, Ian Hickson wrote:
>>
>> > In response to implementor feedback regarding the sandbox="" feature of
>> > <iframe> in the WHATWG list [1], and based in part on a 2007 research
>> > paper from Microsoft [2], I have introduced a new MIME type for HTML
>> > (text/sandboxed-html) that is identical to text/html in every way except
>> > one critical aspect: resources served with this MIME type are forced
>> into
>> > a unique security origin context.
>>
>> I would prefer a media type of "text/html-sandboxed", since that places
>> the two types next to each other in a sorted list and allows easier
>> prefix-matching when desired.
>>
>> ....Roy
>>
>>
>>
>
Received on Wednesday, 13 January 2010 02:20:54 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:16:57 GMT