W3C home > Mailing lists > Public > public-html@w3.org > January 2010

Re: <iframe doc="">

From: Shelley Powers <shelley.just@gmail.com>
Date: Mon, 25 Jan 2010 16:17:42 -0600
Message-ID: <643cc0271001251417r6dee78b5la5e328411bac88af@mail.gmail.com>
To: Lachlan Hunt <lachlan.hunt@lachy.id.au>
Cc: public-html@w3.org
>
>
> That security issue is completely independent from XSS, which is where
> client-side scripts are inserted into user generated content which, when
> subsequently output by the server in the page and viewed by other users,
> execute in the browser with the same origin, and thus priviliges, as a
> normal script inserted by the page owner would have.
>
> http://en.wikipedia.org/wiki/Cross-site_scripting
>
> Sandboxing in this context in an additional layer of protection against
> XSS.  It's a signal to the browser that it should not permit, for example,
> the execution of scripts, or to allow scripts but resrict their access in
> specific ways (depending on the sandbox attribute's value).
>

Let me ask you something else Lachlan: is there any CMS, such as Wordpress
or Drupal, or any other application in the entire world that wants to let
you store a comment with a script injection into the database?

The srcdoc attribute is attempting to solve a problem that's not a browser's
to solve.



> --
> Lachlan Hunt - Opera Software
>


Shelley


> http://lachy.id.au/
> http://www.opera.com/
>
Received on Monday, 25 January 2010 22:18:16 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:39:13 UTC