W3C home > Mailing lists > Public > public-html@w3.org > January 2010

Re: <iframe doc="">

From: Smylers <Smylers@stripey.com>
Date: Sat, 16 Jan 2010 10:23:58 +0000
To: public-html@w3.org
Message-ID: <20100116102358.GX2753@stripey.com>
Julian Reschke writes:

> Ian Hickson wrote:
> 
> >           <iframe seamless sandbox="allow-scripts allow-forms" doc="
> >             Read my blog!
> >             <a href='#' onclick='alert(document.cookie)'> Click here</a> 
> >           "> </iframe> 
> 
> I thought markup in attributes was a super-anti-pattern.
> 
> How about adding one level of indirection?
> 
>           <iframe seamless sandbox="allow-scripts allow-forms"  
> doc="#x"> </iframe> 
> 
>           ...
> 
>           <span id=x> <a href='#' onclick='alert(document.cookie)'> Click  
> here</a> </span> 

Wouldn't that have the security problem that a browser which doesn't
know about sandbox will just have that content as a normal part of the
page, unsandboxed?

(Whereas using the attribute, a non-sandbox-supporting browser will
simply ignore the attribute.  The content won't render; which obviously
isn't ideal, but it's preferably to being insecure.)

Smylers
-- 
Watch fiendish TV quiz 'Only Connect' (some questions by me)
Mondays at 20:30 on BBC4, or iPlayer: http://www.bbc.co.uk/programmes/b00lskhg
Received on Saturday, 16 January 2010 10:24:29 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:39:12 UTC