W3C home > Mailing lists > Public > public-html@w3.org > August 2011

Re: ISSUE-166 html-sandboxed: Chairs Solicit Proposals

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 03 Aug 2011 08:32:09 +0200
To: "Maciej Stachowiak" <mjs@apple.com>, "Jacob Rossi" <Jacob.Rossi@microsoft.com>
Cc: "Paul Cotton" <Paul.Cotton@microsoft.com>, "'HTML WG LIST'" <public-html@w3.org>, "Sam Ruby (rubys@intertwingly.net)" <rubys@intertwingly.net>, "Adrian Bateman" <adrianba@microsoft.com>
Message-ID: <op.vzmkfvsv64w2qv@annevk-macbookpro.local>
On Wed, 03 Aug 2011 08:11:17 +0200, Jacob Rossi  
<Jacob.Rossi@microsoft.com> wrote:
> I've put the change proposal on the wiki and incorporated the test case:
>
> http://www.w3.org/html/wg/wiki/ChangeProposals/text_html_sandboxed
>
> To be clear, the incorrect advertisement of text/html-sandboxed is only  
> part of our argument against it. The inability to specify allow-tokens  
> or to sandbox content other than text/html severely limits the  
> usefulness of the MIME type as well.

I think the inability to specify allow-tokens stems from the fact that the  
content is supposed to be included in an <iframe> where you can set such  
tokens.

I am not sure what other content would need to be sandboxed. Do you have  
examples of sites putting embedded untrusted content other than HTML on  
third-party servers that would need to be sandboxed if hosted on the same  
server?


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Wednesday, 3 August 2011 06:32:47 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:17:37 GMT