- From: Kornel Lesiński <kornel@geekhood.net>
- Date: Mon, 6 Sep 2010 10:35:34 +0100
- To: public-html@w3.org
- Cc: "Tab Atkins Jr." <jackalmage@gmail.com>
I agree that srcdoc without default sandbox might give false sense of security[1]. There were also suggestions that data: URIs already do what @srcdoc does, with the exception of fail-safety for sandboxed content in HTML4 UAs. My suggestion is to replace @srcdoc with @sandboxsrc. @sandboxsrc takes URI. Use of this attribute implies sandbox. When @sandboxsrc is used @src is ignored. It allows use of sandboxed data: URIs new UAs without leaving old UAs insecure, and leaves @src for fallback for HTML4 UAs. Because of need to percent-escape or base64-encode data: URI are less efficient than @srcdoc is. This could be remedied by defining preprocessing step on @sandboxsrc (and @src?) that adds necessary percent-escaping to the value when value starts with data:. <iframe sandbox srcdoc="<h1>Hello</h1>"> would be changed to: <iframe sandboxsrc="data:text/html,<h1>Hello</h1>"> <iframe sandbox src="hello.html-sandboxed"> would be equivalent to: <iframe sandboxsrc="hello.html-sandboxed"> and allow: <iframe sandboxsrc="hello.html-sandboxed" src="hello.txt"> -- regards, Kornel Lesiński [1] http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2010-August/028274.html
Received on Monday, 6 September 2010 09:36:11 UTC