W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: CSP XML Data with tokens

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 28 Jan 2011 02:09:48 -0800
Message-ID: <AANLkTinKH1PGLwiqtF=SkSFkssRLtm_wmz1zHRF3XvzK@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: "sird@rckc.at" <sird@rckc.at>, Devdatta Akhawe <dev.akhawe@gmail.com>, Michal Zalewski <lcamtuf@coredump.cx>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
On Fri, Jan 28, 2011 at 1:52 AM, gaz Heyes <gazheyes@gmail.com> wrote:
> On 28 January 2011 09:32, sird@rckc.at <sird@rckc.at> wrote:
>>
>> <iframe sandbox="allow-same-origin" seamless="seamless" srcdoc="your
>> html content here"></iframe>
>
> Ok but there are a few problems here, if you replace the target div with a
> iframe what if a site contains a rule like div { position:absolute; } or any
> other style, how could that work? How do you know which content to replace
> with a sandboxed iframe? How would you apply more restrictions to the HTML?
> More attributes?  Seems like a ugly hack to me using a iframe for this
> purpose

The reason we use iframe for this purpose is because iframe is
basically the only isolation primitive we have in the web platform
today.

Adam
Received on Friday, 28 January 2011 10:10:54 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 28 January 2011 10:10:55 GMT