W3C home > Mailing lists > Public > whatwg@whatwg.org > December 2009

[whatwg] some thoughts on sandboxed IFRAMEs

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Sun, 13 Dec 2009 13:51:29 -0800
Message-ID: <448e9a320912131351u2a07a21cq2dd908b5e145b898@mail.gmail.com>
> That seems like a backwards way of proceeding. ?Do you have a proposal
> for unification besides the <jail> tag?

The only fundamental objection I have heard against it is the trouble
with XML representation.

The other option is to simply require a traditional CDATA-esque
behavior or a tag parameter - which would place the burden on the
author to filter out / escape a single exact string or a quote, but
would be similar otherwise.

It's obviously less secure - because while the token-based approach
actually requires the user to explicitly come up with a token, however
poor it might be; whereas here, there is no way to enforce escaping.
But it's a solution that would not conflict with XML in any way.

>From Tab's response, looks like it's being considered, too - @doc +
@seamless. What's strikes me as a bit ironic is that this way, we're
overloading IFRAME to become something else entirely, and after
rejecting token-guards, settling for an option that is definitely not
perfect, and in practice, I think, is bound to be less secure.

/mz
Received on Sunday, 13 December 2009 13:51:29 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:54 UTC