Re: text/sandboxed-html from gaz Heyes on 2010-01-27 (public-web-security@w3.org from January 2010)

From: gaz Heyes <gazheyes@gmail.com>
Date: Wed, 27 Jan 2010 13:08:05 +0000
To: "sird@rckc.at" <sird@rckc.at>
Cc: Devdatta <dev.akhawe@gmail.com>, Maciej Stachowiak <mjs@apple.com>, Collin Jackson <collin@collinjackson.com>, "Helen Wang (MSR)" <helenw@microsoft.com>, "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <252dd75b1001270508h407daffct13fb37ac53cae41c@mail.gmail.com>

2010/1/27 sird@rckc.at <sird@rckc.at>

> a <script src=> inside an <iframe sandbox=> is the same as a <sandbox
> src=>, the difference is that the later is only javascript, and the former
> is JS and HTML (and css maybe).
>
> If I understood correctly, Helen things that HTML is dangerous, since it
> executes in the context of the page serving it, while JS by itself is not..
>

Actually it's a better solution:-
<sandbox src=x>Not supported</sandbox>

The iframe content will not be displayed to the user. It makes more sense to
use a new element IMO as you can use alternative HTML within the element
boundaries

Received on Wednesday, 27 January 2010 13:08:39 UTC