W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: CSP XML Data with tokens

From: gaz Heyes <gazheyes@gmail.com>
Date: Fri, 28 Jan 2011 09:52:46 +0000
Message-ID: <AANLkTi=yos_ES5rWoK3xc7oo03-vstDFo28spz_fk0y-@mail.gmail.com>
To: "sird@rckc.at" <sird@rckc.at>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, Michal Zalewski <lcamtuf@coredump.cx>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
On 28 January 2011 09:32, sird@rckc.at <sird@rckc.at> wrote:

> <iframe sandbox="allow-same-origin" seamless="seamless" srcdoc="your
> html content here"></iframe>
>

Ok but there are a few problems here, if you replace the target div with a
iframe what if a site contains a rule like div { position:absolute; } or any
other style, how could that work? How do you know which content to replace
with a sandboxed iframe? How would you apply more restrictions to the HTML?
More attributes?  Seems like a ugly hack to me using a iframe for this
purpose
Received on Friday, 28 January 2011 09:53:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 28 January 2011 09:53:19 GMT