Re: <iframe doc=""> from Shelley Powers on 2010-01-25 (public-html@w3.org from January 2010)

From: Shelley Powers <shelley.just@gmail.com>
Date: Mon, 25 Jan 2010 10:34:08 -0600
To: Kornel <kornel@geekhood.net>
Cc: public-html@w3.org
Message-ID: <643cc0271001250834v6f3e0c0by5fa60312de68cfac@mail.gmail.com>

On Mon, Jan 25, 2010 at 10:24 AM, Kornel <kornel@geekhood.net> wrote:

> On 25 Jan 2010, at 15:28, Shelley Powers wrote:
>
>  I'm not being disingenuous. And I ask you to remember to be civil in
>> responding to me. I also ask that you stop dictating how and in what way I
>> can bring up concerns.
>>
>
> The concerns you brought[1] were mostly issues unrelated/orthogonal to
> @srcdoc, and some appeared to be strawman arguments (it should be obvious to
> members of this group that HTML is unable to effectively prevent spam or
> server-side SQL injection).
>
>
No, I brought up the stated use case, and then highlighted the state of art
that exists today related to that specific use case: comment security.

This was not irrelevant. Security of comments is not something to do
only with protecting against script injection, but a host of other
security issues. We have tools that provide this security now -- I'm
questioning what this addition to the HTML5 spec will add to what we
have today, implemented by other tools and technologies.
I'm also questioning it because of the potential danger of the current
example, which could be taken by the naive user to mean that they have to
provide _no other protection_ other than this iframe/srcdoc change.

These are fair questions to ask, given the primary use case provided, and
given the example and the discussion included in the HTML5 specification
associated with this change.

Shelley


>  So I am trying to understand the purpose of this change, and who Ian
>> perceives to be the customer for this change. These are appropriate
>> questions to ask: we can not determine the technical merit of a solution
>> unless we have an understanding of all the particulars.
>>
>
> To understand this you must first understand relationship between @srcdoc
> with @sandbox. You seem to be debating merit of @sandbox, but insisting that
> it is issue of @srcdoc.
>
> Sandbox for comments and ads might still be implemented without @srcdoc,
> for example with src="data:text/html-sandboxed,…" or external file with
> appropriate MIME type. Do you oppose inclusion of markup in @srcdoc
> attribute (which is one of the options, mainly for authors' convenience), or
> any use of <iframe> for sandboxing of content?
>
>
>  Adam now has stated this change wasn't to do with comments, but ads. Or
>> not only to do with comments, but also to do with ads. That is an entirely
>> different thing: different customers, different uses, different concerns,
>> different technical challenges.
>>
>
> This is not entirely different thing. Both are examples of untrusted markup
> that would be useful to include inline in the page, without risk of XSS and
> need for very complicated sanitisation.
>
> --
> regards, Kornel
>
> [1] http://lists.w3.org/Archives/Public/public-html/2010Jan/1276.html

Received on Monday, 25 January 2010 16:34:42 UTC