I like this more than iframe[sandbox], the contents inside the tag would be RAWTEXT? On Jan 27, 2010 8:19 AM, "Helen Wang (MSR)" <helenw@microsoft.com> wrote: > In any case, the text/html-sandbox defense is requirement for hosting > untrusted content on the ... > Making <sandbox> a separate tag instead of an attribute of <iframe> > doesn't eliminate the need t... This <sandbox>'s semantics differs from that of the original MashupOS sandbox. The only goal of the revised <sandbox> is to allow a host page to restrict a public script. The original MashupOS sandbox proposal additionally wants to allow a web server to indicate that some hosted content is untrustworthy and shouldn't be rendered with any origin' privilege. This latter semantics is lost in the revised proposal in exchange for the elimination of setting the MIME type for easy deploy-ability. Please note that <sandbox>'s "src" can *only* be a script, but not any other type of content. This together with its intended semantics make it fine without setting MIME type. Looking from another angle, this <sandbox> proposal is very similar to <script> except the sandboxed script has no privileges. Helen
Received on Wednesday, 27 January 2010 00:44:16 UTC