W3C home > Mailing lists > Public > public-html@w3.org > September 2010

Re: @sandboxsrc proposal

From: Tab Atkins Jr. <jackalmage@gmail.com>
Date: Mon, 6 Sep 2010 10:25:20 -0700
Message-ID: <AANLkTikeGF10c1nawK+CDCTegwNhTYoUUm19nWc-c88_@mail.gmail.com>
To: Kornel Lesiński <kornel@geekhood.net>
Cc: public-html@w3.org
2010/9/6 Kornel Lesiński <kornel@geekhood.net>:
>
> I agree that srcdoc without default sandbox might give false sense of security[1]. There were also suggestions that data: URIs already do what @srcdoc does, with the exception of fail-safety for sandboxed content in HTML4 UAs.
>
>
> My suggestion is to replace @srcdoc with @sandboxsrc.
>
> @sandboxsrc takes URI. Use of this attribute implies sandbox. When @sandboxsrc is used @src is ignored.

This removes the entire reason for @srcdoc, which is that you can use
the sandbox security model without a network request.

~TJ
Received on Monday, 6 September 2010 17:26:12 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:39:19 UTC