W3C home > Mailing lists > Public > public-html@w3.org > January 2010

Re: text/sandboxed-html

From: Julian Reschke <julian.reschke@gmx.de>
Date: Fri, 15 Jan 2010 20:03:00 +0100
Message-ID: <4B50BBE4.3010305@gmx.de>
To: Maciej Stachowiak <mjs@apple.com>
CC: Ian Hickson <ian@hixie.ch>, public-html@w3.org, public-web-security@w3.org
Maciej Stachowiak wrote:
> 
> On Jan 15, 2010, at 5:33 AM, Julian Reschke wrote:
> 
>> Ian Hickson wrote:
>>> In response to implementor feedback regarding the sandbox="" feature 
>>> of <iframe> in the WHATWG list [1], and based in part on a 2007 
>>> research paper from Microsoft [2], I have introduced a new MIME type 
>>> for HTML (text/sandboxed-html) that is identical to text/html in 
>>> every way except one critical aspect: resources served with this MIME 
>>> type are forced into a unique security origin context.
>>> ...
>>
>> For symmetry, we should also have
>>
>>  application/xhtml-sandboxed+xml
>>
>> right?
> 
> This actually would not have the desired behavior in legacy UAs, because 
> many (well, at least WebKit-based ones) will recognize any MIME type 
> ending in +xm as an XML type and will parse it as such.
> ...

Well, parsing it isn't a problem; right? Do they do more (sniff the 
namespace?).

BR, Julian
Received on Friday, 15 January 2010 19:03:41 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:39:12 UTC