- From: Leonard Rosenthol <lrosenth@adobe.com>
- Date: Sun, 24 Jan 2010 11:05:18 -0800
- To: Maciej Stachowiak <mjs@apple.com>, "Tab Atkins Jr." <jackalmage@gmail.com>
- CC: Shelley Powers <shelley.just@gmail.com>, Ian Hickson <ian@hixie.ch>, "public-html@w3.org WG" <public-html@w3.org>
> The browser can know definitively whenever it's about to run script, so it can definititively stop all > possible ways of doing so without having to guess > That seems to be an assumption that I would dispute. A browser can know when it is about to run visible/exposed scripts in standard locations that it supports. I agree. HOWEVER, unless the browser has implemented (and has control over) EVERY SINGLE PART of its code - from the OS foundations to the rendering system - what it can NOT know if when scripts may be executed outside of its control. Some video formats allow for calls outside the normal chain of execution (eg. for cuepoints and the like) - how could you prevent that if you don't know about it? Some operating systems allow for attaching scripts to UI elements, which could be invoked simply by the UA rendering a standard control. (and the list goes on). To assume that any UA is completely control of the ALL aspects of execution of ALL scripts would be wrong. Leonard -----Original Message----- It's not really just a matter of parsing, but also of knowing what kinds of things in the markup can cause script to run (or do other things that it's desirable to block when sanitizing). Though that's really a feature of sandboxed iframes, not of srcdoc per se. The browser can know definitively whenever it's about to run script, so it can definititively stop all possible ways of doing so without having to guess. Regards, Maciej
Received on Sunday, 24 January 2010 19:06:04 UTC