W3C home > Mailing lists > Public > public-web-security@w3.org > March 2011

RE: text/html-sandboxed should just be a sandboxed MIME type attribute

From: Jacob Rossi <jrossi@microsoft.com>
Date: Tue, 29 Mar 2011 15:54:58 +0000
To: Michal Zalewski <lcamtuf@coredump.cx>, gaz Heyes <gazheyes@gmail.com>
CC: "public-web-security@w3.org" <public-web-security@w3.org>, "public-html@w3.org" <public-html@w3.org>, Adrian Bateman <adrianba@microsoft.com>
Message-ID: <D0BC8E77E79D9846B61A2432D1BA4EAE027DF08C@TK5EX14MBXC114.redmond.corp.microsoft.com>
I agree. The fact that my proposal would allow the content to be rendered in legacy browsers is no different than the sandbox iframe attribute itself; and that's the way it should be lest we give the false impression that text/html-sandboxed is more than defense in-depth.



> -----Original Message-----
> From: Michal Zalewski [mailto:lcamtuf@coredump.cx]
> Sent: Tuesday, March 29, 2011 4:57 AM
> To: gaz Heyes
> Cc: Jacob Rossi; public-web-security@w3.org; public-html@w3.org; Adrian
> Bateman
> Subject: Re: text/html-sandboxed should just be a sandboxed MIME type
> attribute
> 
> > 2) The mime type ensures that the content itself was intended to be
> > sandboxed.
> 
> Not really; still-popular browsers such as MSIE6 and MSIE7 will still
> tend to detect HTML on such a document in certain circumstances. If the
> goal of text/html-sandboxed is backward safety, then ignoring this is
> probably problematic (but I do think this was discussed before).
> 
> /mz
Received on Tuesday, 29 March 2011 15:56:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 29 March 2011 15:56:46 GMT