- From: Adam Barth <w3c@adambarth.com>
- Date: Fri, 28 Jan 2011 02:09:48 -0800
- To: gaz Heyes <gazheyes@gmail.com>
- Cc: "sird@rckc.at" <sird@rckc.at>, Devdatta Akhawe <dev.akhawe@gmail.com>, Michal Zalewski <lcamtuf@coredump.cx>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
On Fri, Jan 28, 2011 at 1:52 AM, gaz Heyes <gazheyes@gmail.com> wrote:
> On 28 January 2011 09:32, sird@rckc.at <sird@rckc.at> wrote:
>>
>> <iframe sandbox="allow-same-origin" seamless="seamless" srcdoc="your
>> html content here"></iframe>
>
> Ok but there are a few problems here, if you replace the target div with a
> iframe what if a site contains a rule like div { position:absolute; } or any
> other style, how could that work? How do you know which content to replace
> with a sandboxed iframe? How would you apply more restrictions to the HTML?
> More attributes? Seems like a ugly hack to me using a iframe for this
> purpose
The reason we use iframe for this purpose is because iframe is
basically the only isolation primitive we have in the web platform
today.
Adam
Received on Friday, 28 January 2011 10:10:54 UTC