W3C home > Mailing lists > Public > whatwg@whatwg.org > December 2009

[whatwg] some thoughts on sandboxed IFRAMEs

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Sun, 13 Dec 2009 13:30:33 -0800
Message-ID: <448e9a320912131330j15e134bfi48036992d55c729f@mail.gmail.com>
> The @sandbox seems like a better fit for the advertising use case.

I am not contesting this, to be clear - I am aware of many cases where
it would be very useful - but gadgets are a fairly small part of the
Internet, and seems like a unified solution would be more desirable
than several very different APIs with different granularity.

The toStaticHTML-alike will address another specific uses, but will
leave applications that can't rely on JS exclusively for their
rendering needs (which I'd wager is still a majority) out in the cold;
which would probably lead to a yet another XSS prevention / HTML
sandboxing approach emerging later on.

I haven't really seen a compelling argument why all these can't be
unified without a significant increase in code or spec complexity -
maybe one exists.

More importantly, some of the features of @sandbox (e.g.,
allow-same-origin), as well as some of the examples in the spec, seem
to be explicitly targeted for other use cases, which makes me think
this is not the consensus between the authors; and the particular
same-origin "user content" example would promote highly unsafe coding
practices if ever followed. So it seems to me like such a narrow use
case is not even the consensus between authors?

Cheers,
/mz
Received on Sunday, 13 December 2009 13:30:33 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:54 UTC