Re: text/sandboxed-html from sird@rckc.at on 2010-01-13 (public-web-security@w3.org from January 2010)

From: <sird@rckc.at>
Date: Wed, 13 Jan 2010 10:18:22 +0800
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: Ian Hickson <ian@hixie.ch>, public-html@w3.org, public-web-security@w3.org
Message-ID: <8ba534861001121818p7949829awef56adf6b95f4108@mail.gmail.com>

this is a great idea! but I think that legacy browsers will prompt a
<download file> dialog if they dont support it.

why not putting the sandboxed URL inside the sandbox attribute? anyway, it's
just a suggestion, the new mime type is a great idea, now sandbox makes
sense!

<iframe sandbox="http://thesite.com/thesandboxed.html"
sandboxsomething="no-scripts no-frames">

Greetings!!
-- Eduardo
http://www.sirdarckcat.net/

Sent from Hangzhou, 33, China

On Wed, Jan 13, 2010 at 10:08 AM, Roy T. Fielding <fielding@gbiv.com> wrote:

> On Jan 12, 2010, at 5:51 PM, Ian Hickson wrote:
>
> > In response to implementor feedback regarding the sandbox="" feature of
> > <iframe> in the WHATWG list [1], and based in part on a 2007 research
> > paper from Microsoft [2], I have introduced a new MIME type for HTML
> > (text/sandboxed-html) that is identical to text/html in every way except
> > one critical aspect: resources served with this MIME type are forced into
> > a unique security origin context.
>
> I would prefer a media type of "text/html-sandboxed", since that places
> the two types next to each other in a sorted list and allows easier
> prefix-matching when desired.
>
> ....Roy
>
>
>

Received on Wednesday, 13 January 2010 02:19:17 UTC