Re: <iframe doc="">

On Mon, Jan 25, 2010 at 10:00 AM, Shelley Powers <shelley.just@gmail.com> wrote:
> What I brought up is all of the factors that go into play when it comes to
> comments and security, and did so to demonstrate that the srcdoc, and
> evidently sandbox, change will have little impact.

I do not believe you demonstrated that @sandbox will have little
impact.  You ignored all the security issues that @sandbox currently
addresses and then implied your list was exhaustive.  You also brought
up several issues that are entirely irrelevant for @sandbox, as they
dealt with things that are not related to displaying untrusted
content.  @sandbox isn't magical; it addresses particular concerns
that are difficult/impossible to address with current technologies.

> More importantly to show
> that input scrubbers are used not just with comments, but also with posts
> and articles--potentially we could have nothing but pages of content that
> are iframe elements with escaped markup in text. Which won't be very useful
> for friendly web bots.

Spiders will read @srcdoc as well.  It won't be a big deal to have
them treat it as part of the page, as it's intended.

> But if the real purpose of the attributes, and the concept, is for ads,
> that's a different story. That should have been the customer, and the use
> case given, and should include an example of how this functionality would be
> used with the primary use case.

That was one of the concepts for @sandbox, and it was given.  We're
discussing @srcdoc, though, which is irrelevant for the ad-serving use
case.

> In fact, by promoting sandboxing as security for comments, we may actually
> be doing people a disservice, because existing comment safety is a superior
> option.
> Can one of you provide an example of how this work with ads, and the third
> party ad sellers?

<iframe sandbox seamless src="http://ads.example.com/?ref=foobar"></iframe>

Because, as stated, @sandbox is useful for ads, but not @srcdoc.

~TJ

Received on Monday, 25 January 2010 16:07:45 UTC