W3C home > Mailing lists > Public > public-web-security@w3.org > January 2010

Re: text/sandboxed-html

From: gaz Heyes <gazheyes@gmail.com>
Date: Wed, 27 Jan 2010 13:08:05 +0000
Message-ID: <252dd75b1001270508h407daffct13fb37ac53cae41c@mail.gmail.com>
To: "sird@rckc.at" <sird@rckc.at>
Cc: Devdatta <dev.akhawe@gmail.com>, Maciej Stachowiak <mjs@apple.com>, Collin Jackson <collin@collinjackson.com>, "Helen Wang (MSR)" <helenw@microsoft.com>, "public-web-security@w3.org" <public-web-security@w3.org>
2010/1/27 sird@rckc.at <sird@rckc.at>

> a <script src=> inside an <iframe sandbox=> is the same as a <sandbox
> src=>, the difference is that the later is only javascript, and the former
> is JS and HTML (and css maybe).
>
> If I understood correctly, Helen things that HTML is dangerous, since it
> executes in the context of the page serving it, while JS by itself is not..
>

Actually it's a better solution:-
<sandbox src=x>Not supported</sandbox>

The iframe content will not be displayed to the user. It makes more sense to
use a new element IMO as you can use alternative HTML within the element
boundaries
Received on Wednesday, 27 January 2010 13:08:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:02 GMT