W3C home > Mailing lists > Public > public-html@w3.org > January 2010

Re: <iframe doc="">

From: Tab Atkins Jr. <jackalmage@gmail.com>
Date: Mon, 25 Jan 2010 10:06:52 -0600
Message-ID: <dd0fbad1001250806v6a4f6386kf92e1b8721d920f9@mail.gmail.com>
To: Shelley Powers <shelley.just@gmail.com>
Cc: Maciej Stachowiak <mjs@apple.com>, Lars Gunther <gunther@keryx.se>, "public-html@w3.org WG" <public-html@w3.org>
On Mon, Jan 25, 2010 at 10:00 AM, Shelley Powers <shelley.just@gmail.com> wrote:
> What I brought up is all of the factors that go into play when it comes to
> comments and security, and did so to demonstrate that the srcdoc, and
> evidently sandbox, change will have little impact.

I do not believe you demonstrated that @sandbox will have little
impact.  You ignored all the security issues that @sandbox currently
addresses and then implied your list was exhaustive.  You also brought
up several issues that are entirely irrelevant for @sandbox, as they
dealt with things that are not related to displaying untrusted
content.  @sandbox isn't magical; it addresses particular concerns
that are difficult/impossible to address with current technologies.

> More importantly to show
> that input scrubbers are used not just with comments, but also with posts
> and articles--potentially we could have nothing but pages of content that
> are iframe elements with escaped markup in text. Which won't be very useful
> for friendly web bots.

Spiders will read @srcdoc as well.  It won't be a big deal to have
them treat it as part of the page, as it's intended.

> But if the real purpose of the attributes, and the concept, is for ads,
> that's a different story. That should have been the customer, and the use
> case given, and should include an example of how this functionality would be
> used with the primary use case.

That was one of the concepts for @sandbox, and it was given.  We're
discussing @srcdoc, though, which is irrelevant for the ad-serving use
case.

> In fact, by promoting sandboxing as security for comments, we may actually
> be doing people a disservice, because existing comment safety is a superior
> option.
> Can one of you provide an example of how this work with ads, and the third
> party ad sellers?

<iframe sandbox seamless src="http://ads.example.com/?ref=foobar"></iframe>

Because, as stated, @sandbox is useful for ads, but not @srcdoc.

~TJ
Received on Monday, 25 January 2010 16:07:45 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:39:13 UTC