W3C home > Mailing lists > Public > public-html@w3.org > January 2010

Re: <iframe doc="">

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 18 Jan 2010 09:49:24 -0800
Message-ID: <7789133a1001180949i7faa0ebfv5499d52c5adf235@mail.gmail.com>
To: Joe D Williams <joedwil@earthlink.net>
Cc: Henri Sivonen <hsivonen@iki.fi>, public-html@w3.org
I don't understand why you think object/embed provides more security
than iframe.  When you load HTML into an object/embed, what you get is
exactly the same as an iframe.

Adam


On Mon, Jan 18, 2010 at 8:11 AM, Joe D Williams <joedwil@earthlink.net> wrote:
> I hit the button a bit early (or way too late) but the main point was to be
> that there has to be a better way that will stand the test of whether all
> features of html5 remain available to the xml community and specifically to
> the author that needs to move from text/html to application/xhtml+xml.
>
> That said, an even bigger point is that while I totally support predictable
> and authorable security enhancements to <iframe> it seems like we should
> really try to do it inside the rails. It is no accident that attrs are
> intended for final data values, not element content. That just makes it
> easier for mere mortals to work with. Just as an example, consider looking
> at this as three levels of security: an ordinary <div> that is an element in
> the DOM and fully accessible; an <iframe> which is intended for importing
> interactive html and may or may not produce authorable elements in the host
> DOM depending upon UA defaults and author's declarations; and
> <embed>/<object> which are designed to allow secure operation of an
> 'external' but connected execution context with carefully defined scriptable
> interfaces to the host DOM.
> Needless to say the security techniques employed for <embed> and <object>
> may not be appropriate for <iframe>, still there are similarities that
> should be explored before diving into the user code bozungle of html/xml
> attributes as content.
>
> Thanks Again and Best Regards,
> Joe
>
>
>
Received on Monday, 18 January 2010 17:50:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:16:58 GMT