W3C home > Mailing lists > Public > public-web-security@w3.org > January 2010

Re: text/sandboxed-html

From: Maciej Stachowiak <mjs@apple.com>
Date: Fri, 15 Jan 2010 10:51:18 -0800
Cc: Ian Hickson <ian@hixie.ch>, public-html@w3.org, public-web-security@w3.org
Message-id: <DEBA6392-F2AC-436C-BCF0-13AAA278C3EF@apple.com>
To: Julian Reschke <julian.reschke@gmx.de>

On Jan 15, 2010, at 5:33 AM, Julian Reschke wrote:

> Ian Hickson wrote:
>> In response to implementor feedback regarding the sandbox=""  
>> feature of <iframe> in the WHATWG list [1], and based in part on a  
>> 2007 research paper from Microsoft [2], I have introduced a new  
>> MIME type for HTML (text/sandboxed-html) that is identical to text/ 
>> html in every way except one critical aspect: resources served with  
>> this MIME type are forced into a unique security origin context.
>> ...
>
> For symmetry, we should also have
>
>  application/xhtml-sandboxed+xml
>
> right?

This actually would not have the desired behavior in legacy UAs,  
because many (well, at least WebKit-based ones) will recognize any  
MIME type ending in +xm as an XML type and will parse it as such.

Regards,
Maciej
Received on Friday, 15 January 2010 18:51:51 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT