W3C home > Mailing lists > Public > whatwg@whatwg.org > August 2010

[whatwg] @srcdoc and default @sandbox

From: Kornel Lesiński <kornel@geekhood.net>
Date: Wed, 1 Sep 2010 00:16:43 +0100
Message-ID: <18F35529-F478-4AD0-B9F8-2F31E5DFE03F@geekhood.net>
On 31.08.2010, at 23:39, Tab Atkins Jr. wrote:

>>>> At least as currently drafted, srcdoc is not a security feature. It's a
>>>> convenience feature. It is also designed to work well in tandem with a
>>>> particular security feature (sandbox). But by itself, it is not a security
>>>> feature.
>>> 
>>> Data URLs already provide this.
>> 
>> What about existing UAs that implement data: URIs, but not sandbox?
> 
> What about them?
> 
> (Remember, the context of the "use data urls" suggestion was to solve
> the minority use-case of wanting to fill an <iframe> without a network
> request, without triggering sandboxing.)

Yes, it's OK for data without sandboxing. However, "inline data without sandboxing" does not cover all use cases of srcdoc. There's another use case of "inline data _with_ sandboxing and fallback for HTML4 UAs", for which data: URI currently cannot provide.

My point is that data: URIs provide only half of srcdoc functionality, and if srcdoc is supposed to be dropped in favor of data: URI, then the other use case needs to be taken into account as well.

-- 
regards, Kornel
Received on Tuesday, 31 August 2010 16:16:43 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:00 UTC