W3C home > Mailing lists > Public > public-web-security@w3.org > January 2010

Re: Sandboxed iframes (was Re: Seamless iframes + CSS3 selectors = bad idea)

From: gaz Heyes <gazheyes@gmail.com>
Date: Tue, 26 Jan 2010 10:55:41 +0000
Message-ID: <252dd75b1001260255t3a9e5a3ycda365cabae0d347@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: "sird@rckc.at" <sird@rckc.at>, Adam Barth <w3c@adambarth.com>, public-web-security@w3.org
2010/1/21 Ian Hickson <ian@hixie.ch>

> If you're using text/sandboxed-html, you're not targetting legacy UAs, so
> I don't really think that's a problem we need to worry about.
>

Lets say the spec is finalised and a browser supports the new attribute.
Nobody will use it because of the prompts. The majority of web sites aren't
going to redirect legacy browsers and therefore the sandboxed iframe will
fail because legacy browsers will dictate what web designers/developers do.
The difficulty in detecting browsers and the average person's knowledge of
DOM and how to detect features is going add to this mess. By providing a
separate sandboxed src attribute the web developer can choose which items
are sandboxed and then provide a mechanism or fallback url if they don't.
This worked in the past and it can work now examples of this are:-

<script></script>
<noscript>You don't have javascript</noscript>

<object>You don't support this object</object>

By using this principle the web developer can easily provide legacy browsers
with an alternative or a message:-
<iframe sandbox-src="sandoxedcontent.html"
src="browser_unsupported.html"></iframe>
Received on Tuesday, 26 January 2010 10:56:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:02 GMT