W3C home > Mailing lists > Public > public-html@w3.org > January 2010

Re: XSS risk from iframe@doc?

From: Lachlan Hunt <lachlan.hunt@lachy.id.au>
Date: Sun, 17 Jan 2010 22:01:13 +0100
Message-ID: <4B537A99.5040800@lachy.id.au>
To: Ian Hickson <ian@hixie.ch>
Cc: Adam Barth <w3c@adambarth.com>, HTML WG <public-html@w3.org>
Ian Hickson wrote:
> doc="" is only meant to be used with sandbox="". I can just make it not do
> anything at all if sandbox="" isn't specified, if that helps.

Why not just make it easier and say that doc="" is always processed as 
if sandbox="" were specified, even if the author didn't specific it 
explicitly?  Requiring the author to always remember to type <iframe 
doc="..." sandbox=""> just seems redundant, unless they want to specify 
some of the sandbox allow-* values.

-- 
Lachlan Hunt - Opera Software
http://lachy.id.au/
http://www.opera.com/
Received on Sunday, 17 January 2010 21:01:46 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:39:12 UTC