- From: Shelley Powers <shelley.just@gmail.com>
- Date: Mon, 25 Jan 2010 16:17:42 -0600
- To: Lachlan Hunt <lachlan.hunt@lachy.id.au>
- Cc: public-html@w3.org
Received on Monday, 25 January 2010 22:18:16 UTC
> > > That security issue is completely independent from XSS, which is where > client-side scripts are inserted into user generated content which, when > subsequently output by the server in the page and viewed by other users, > execute in the browser with the same origin, and thus priviliges, as a > normal script inserted by the page owner would have. > > http://en.wikipedia.org/wiki/Cross-site_scripting > > Sandboxing in this context in an additional layer of protection against > XSS. It's a signal to the browser that it should not permit, for example, > the execution of scripts, or to allow scripts but resrict their access in > specific ways (depending on the sandbox attribute's value). > Let me ask you something else Lachlan: is there any CMS, such as Wordpress or Drupal, or any other application in the entire world that wants to let you store a comment with a script injection into the database? The srcdoc attribute is attempting to solve a problem that's not a browser's to solve. > -- > Lachlan Hunt - Opera Software > Shelley > http://lachy.id.au/ > http://www.opera.com/ >
Received on Monday, 25 January 2010 22:18:16 UTC