W3C home > Mailing lists > Public > public-html@w3.org > January 2010

Re: text/sandboxed-html

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 13 Jan 2010 07:09:19 +0000 (UTC)
To: Toby Inkster <tai@g5n.co.uk>
Cc: public-html@w3.org
Message-ID: <Pine.LNX.4.62.1001130707120.8558@hixie.dreamhostps.com>
On Wed, 13 Jan 2010, Toby Inkster wrote:
> On Wed, 2010-01-13 at 10:18 +0800, sird@rckc.at wrote:
> > why not putting the sandboxed URL inside the sandbox attribute?
> > anyway, it's just a suggestion, the new mime type is a great idea, now
> > sandbox makes sense!
> > 
> > <iframe sandbox="http://thesite.com/thesandboxed.html"
> > sandboxsomething="no-scripts no-frames">
> 
> Using a new attribute rather than src seems like a sensible idea to me. 
> Legacy user agents won't load anything from:
> 
> 	<iframe sandbox="http://example.com/sandboxed.html"></iframe>
> 
> And won't pop up annoying dialogue boxes.

That would make it impossible to use sandbox="" as a defence-in-depth 
measure, which is one of the important use cases. The idea being that in 
addition to filtering the markup, you also want the UA to make sure that 
any scripts you missed simply can't run.


> It seems to eliminate the need for an additional media type 
> registration; and it makes things simpler for those HTML publishers who 
> are not au fait with configuring their web servers.

You'd still need the extra MIME type to handle the case mentioned in:

   http://lists.w3.org/Archives/Public/public-html/2010Jan/0506.html

(Where I wrote "The main reason...".)

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 13 January 2010 07:09:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:16:57 GMT