[whatwg] The <iframe> element and sandboxing ideas from Sean Hogan on 2008-05-23 (public-whatwg-archive@w3.org from May 2008)

From: Sean Hogan <shogun70@westnet.com.au>
Date: Fri, 23 May 2008 13:41:45 +1000
Message-ID: <48363CF9.8050509@westnet.com.au>

Ian Hickson wrote:
> I'm thinking of introducing a 
> new attribute. I haven't worked out what to call it yet, but definitely 
> not "src", "source", "src2", "content", "value", or "data" -- maybe 
> "html" or "doc", though neither of those are great. This attribute would 
> take a string which would then be interpreted as the source document 
> markup of an HTML document, much like the above; it would override src="" 
> if it was present, allowing src="" to be used for legacy UAs:
>
>    <iframe seamless sandbox="allow-scripts allow-forms" doc="
>      <!DOCTYPE HTML>
>      <title></title>
>      Welcome to my blog!
>      </sandbox>
>      <a href='#' onclick='alert(document.cookie)'>Click here</a>
>    "></iframe>
>
> (There are things we can do to make this better, e.g. make the <!DOCTYPE 
> HMTL> and <title></title> bits implicit, maybe introducing type="" to say 
> whether it's HTML or XML instead of only supporting HTML, maybe saying 
> that if src="" and doc="" are both specified they must have identical 
> data, etc.)
>
> Comments and suggestions on this are welcome. I haven't added it to the 
> spec yet. I do agree that without this or something equivalent that we 
> don't have a solution for sandboxing embedded blog comments yet.
>
>
>   
I was wondering if you could use the content of the iframe as the source 
for the iframe document.

By my testing (FF2, FF3b, Saf2, Saf3, Opera9.2, IE6) it seems that 
current browsers ignore content inside an <iframe>. So this degrades 
safely for HTML.

The content is available with innerHTML on IE6 and textContent on the 
others except Safari-2. So you could possibly emulate the HTML5 behavior 
using JS.

This idea doesn't adapt so readily to XHTML.
In XHTML the iframe content is also parsed as XHTML, but is not 
displayed. Unfortunately Safari and Opera execute any scripts. You could 
put the content in a cdata-section, but it feels wrong.

Sorry if this has been discussed before - I couldn't find anything when 
I searched the list.

Received on Thursday, 22 May 2008 20:41:45 UTC