W3C home > Mailing lists > Public > public-html@w3.org > September 2010

@sandboxsrc proposal

From: Kornel Lesiński <kornel@geekhood.net>
Date: Mon, 6 Sep 2010 10:35:34 +0100
Cc: "Tab Atkins Jr." <jackalmage@gmail.com>
Message-Id: <DB2FBC30-6D7D-431B-A38C-618921C8046D@geekhood.net>
To: public-html@w3.org

I agree that srcdoc without default sandbox might give false sense of security[1]. There were also suggestions that data: URIs already do what @srcdoc does, with the exception of fail-safety for sandboxed content in HTML4 UAs.


My suggestion is to replace @srcdoc with @sandboxsrc.

@sandboxsrc takes URI. Use of this attribute implies sandbox. When @sandboxsrc is used @src is ignored.


It allows use of sandboxed data: URIs new UAs without leaving old UAs insecure, and leaves @src for fallback for HTML4 UAs.



Because of need to percent-escape or base64-encode data: URI are less efficient than @srcdoc is. This could be remedied by defining preprocessing step on @sandboxsrc (and @src?) that adds necessary percent-escaping to the value when value starts with data:.

<iframe sandbox srcdoc="<h1>Hello</h1>">

would be changed to:

<iframe sandboxsrc="data:text/html,<h1>Hello</h1>">


<iframe sandbox src="hello.html-sandboxed">

would be equivalent to:

<iframe sandboxsrc="hello.html-sandboxed">

and allow:

<iframe sandboxsrc="hello.html-sandboxed" src="hello.txt">


-- 
regards, Kornel Lesiński

[1] http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2010-August/028274.html
Received on Monday, 6 September 2010 09:36:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:17:14 GMT