W3C home > Mailing lists > Public > public-html@w3.org > January 2010

Re: <iframe doc="">

From: Joe D Williams <joedwil@earthlink.net>
Date: Mon, 18 Jan 2010 08:11:07 -0800
Message-ID: <D6BC8A5356904B6EA1BAA17E7632F154@joe1446a4150a8>
To: "Joe D Williams" <joedwil@earthlink.net>, "Henri Sivonen" <hsivonen@iki.fi>, <public-html@w3.org>
I hit the button a bit early (or way too late) but the main point was 
to be that there has to be a better way that will stand the test of 
whether all features of html5 remain available to the xml community 
and specifically to the author that needs to move from text/html to 
application/xhtml+xml.

That said, an even bigger point is that while I totally support 
predictable and authorable security enhancements to <iframe> it seems 
like we should really try to do it inside the rails. It is no accident 
that attrs are intended for final data values, not element content. 
That just makes it easier for mere mortals to work with. Just as an 
example, consider looking at this as three levels of security: an 
ordinary <div> that is an element in the DOM and fully accessible; an 
<iframe> which is intended for importing interactive html and may or 
may not produce authorable elements in the host DOM depending upon UA 
defaults and author's declarations; and <embed>/<object> which are 
designed to allow secure operation of an 'external' but connected 
execution context with carefully defined scriptable interfaces to the 
host DOM.
Needless to say the security techniques employed for <embed> and 
<object> may not be appropriate for <iframe>, still there are 
similarities that should be explored before diving into the user code 
bozungle of html/xml attributes as content.

Thanks Again and Best Regards,
Joe
Received on Monday, 18 January 2010 16:13:07 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:39:12 UTC