W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2007

[whatwg] Sandboxing scripts in pages

From: Anne van Kesteren <annevk@opera.com>
Date: Fri, 12 Jan 2007 22:14:44 +0100
Message-ID: <op.tl17yuen64w2qv@id-c0020>
On Fri, 12 Jan 2007 22:09:40 +0100, Asbj?rn Ulsberg  
<asbjorn at tigerstaden.no> wrote:
>> Use an <iframe> and use cross-document messaging? This has been  
>> discussed a lot by the way.
>
> Frames are a terrible solution. The content is after all a part of the  
> page it's hosted in, but we want to sandbox it to make sure it can't do  
> any harm.

The proposed alternative is severely underdefined and won't work for the  
foreseeable future anyway.


> Let's say we'd like to sandbox anonymous user-contributed comments on a  
> blog, but not comments from logged in users. That would require all  
> anonymous comments to be placed within an iframe. For 100 anonymous  
> comments, that's 100 iframes on a single web page. Don't tell me that's  
> an elegant solution.

Why wouldn't have you have comment sanitization? Nope that you could use  
data: URIs on the <iframe>s.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Friday, 12 January 2007 13:14:44 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:31 UTC