[whatwg] Sandboxing ideas

On Mon, 14 May 2007 22:02:42 +0200, Jon Barnett <jonbarnett at gmail.com>  
wrote:

>>> I'd treat these two problems as equally important. A separate HTTP
>>> request per forum comment on the page is completely unacceptable.

>> What about encoding the content of each comment iframe in a "data:" URI?

> The contents of an iframe with a data: URI source should be trusted,  
> unlike
> an iframe with an http: URI source from another domain.  A script in an
> iframe with a data: URI source should, by default, be able to communicate
> with the parent window.  So, that alone doesn't solve the problem.

Not to mention that data: URIs are ugly, wasteful (because of the BASE64  
encoding), cannot be read and written by humans directly, and have maximum  
length problems in some implementations.


-- 
Alexey Feldgendler <alexey at feldgendler.ru>
[ICQ: 115226275] http://feldgendler.livejournal.com

Received on Monday, 14 May 2007 13:19:06 UTC