[whatwg] The <iframe> element and sandboxing ideas

On Fri, 23 May 2008, Sean Hogan wrote:
> Ian Hickson wrote:
> > I'm thinking of introducing a new attribute. I haven't worked out what to
> > call it yet, but definitely not "src", "source", "src2", "content", "value",
> > or "data" -- maybe "html" or "doc", though neither of those are great. This
> > attribute would take a string which would then be interpreted as the source
> > document markup of an HTML document, much like the above; it would override
> > src="" if it was present, allowing src="" to be used for legacy UAs:
> > 
> >    <iframe seamless sandbox="allow-scripts allow-forms" doc="
> >      <!DOCTYPE HTML>
> >      <title></title>
> >      Welcome to my blog!
> >      </sandbox>
> >      <a href='#' onclick='alert(document.cookie)'>Click here</a>
> >    "></iframe>
> > 
> > (There are things we can do to make this better, e.g. make the <!DOCTYPE
> > HMTL> and <title></title> bits implicit, maybe introducing type="" to say
> > whether it's HTML or XML instead of only supporting HTML, maybe saying that
> > if src="" and doc="" are both specified they must have identical data, etc.)
> > 
> > Comments and suggestions on this are welcome. I haven't added it to the spec
> > yet. I do agree that without this or something equivalent that we don't have
> > a solution for sandboxing embedded blog comments yet.

Incidentally I've decided for now to wait until we have more experience 
with sandbox="" before adding the above to the spec.


> I was wondering if you could use the content of the iframe as the source 
> for the iframe document.

Besides the XHTML problem you mention, there is also the issue that it 
would be much more complicated to get the escaping right for content 
inside an <iframe> than for content in an attribute. (You have to handle 
the "magic" non-commenting <!--/--> pairs, and you would lose the ability 
to have any sub-iframes.)

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Friday, 13 February 2009 15:09:20 UTC