W3C home > Mailing lists > Public > public-web-security@w3.org > January 2010

Re: text/sandboxed-html

From: Maciej Stachowiak <mjs@apple.com>
Date: Tue, 26 Jan 2010 17:46:17 -0800
Cc: "Helen Wang (MSR)" <helenw@microsoft.com>, "public-web-security@w3.org" <public-web-security@w3.org>
Message-id: <315BF9B8-E9A9-4B59-B341-77A7ECC4A714@apple.com>
To: Collin Jackson <collin@collinjackson.com>

On Jan 26, 2010, at 2:44 PM, Collin Jackson wrote:

> 
> Since there is no mechanism preventing the attacker from making an
> iframe that points at the <sandbox>'s "src" attribute, the site needs
> some way of preventing the content from rendering as HTML, even though
> it will normally be script in non-attack scenarios. Serving up content
> with the mime type text/javascript (or application/x-javascript) works
> about as well as text/html-sandboxed (same IE6 and Flash caveats).

Using a JavaScript type is likely to make some or all of the content readable (and not just embeddable) cross-site. So even though it won't then be rendered as HTML, this choice of MIME type has risks.

Regards,
Maciej
Received on Wednesday, 27 January 2010 01:46:51 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:02 GMT