W3C home > Mailing lists > Public > public-web-security@w3.org > January 2010

Re: text/sandboxed-html

From: gaz Heyes <gazheyes@gmail.com>
Date: Wed, 13 Jan 2010 15:18:11 +0000
Message-ID: <252dd75b1001130718p154b5ccah3865673d3d8a9187@mail.gmail.com>
To: "sird@rckc.at" <sird@rckc.at>
Cc: "Roy T. Fielding" <fielding@gbiv.com>, Ian Hickson <ian@hixie.ch>, public-html@w3.org, public-web-security@w3.org
2010/1/13 sird@rckc.at <sird@rckc.at>

> this is a great idea! but I think that legacy browsers will prompt a
> <download file> dialog if they dont support it.
> why not putting the sandboxed URL inside the sandbox attribute? anyway,
> it's just a suggestion, the new mime type is a great idea, now sandbox makes
> sense!
> <iframe sandbox="http://thesite.com/thesandboxed.html"
> sandboxsomething="no-scripts no-frames">

I agree with Eduardo here and I agree with the mime-type it's a good idea.
It eliminates two problems:-

1) Legacy browsers won't run the code if they don't support it
2) Web sites can choose to be sandboxed, this is useful because the
attribute could be used as an attack vector to conduct certain attacks.
Received on Wednesday, 13 January 2010 15:18:49 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:17 UTC