- From: Robert O'Callahan <robert@ocallahan.org>
- Date: Thu, 20 May 2010 11:32:05 +1200
On Wed, May 19, 2010 at 5:35 AM, Ojan Vafai <ojan at chromium.org> wrote: > The webkit behavior of allowing all scripts makes the most sense to me. It > should be possible to disable scripts, but that capability shouldn't be tied > to editability. The clean solution for the CKEditor developer is to use a > sandboxed iframe. > Discussion led to the point that there's a fundamental conflict between sandboxed iframes and JS-based framebusting techniques. The point of https://bugzilla.mozilla.org/show_bug.cgi?id=519928 is that Web sites using JS-based techniques to prevent clickjacking can be thwarted if the containing page has a way to disable JS in the child document. Currently 'designmode' is usable that way in Gecko, but 'sandbox' would work even better. Maybe sites should all move to declarative techniques such as CSP or X-Frame-Options (although there are suggestions that maybe they don't want to for some reason --- see https://bugzilla.mozilla.org/show_bug.cgi?id=519928#c5 ). But there are still issues with existing sites. Should we care? Rob -- "He was pierced for our transgressions, he was crushed for our iniquities; the punishment that brought us peace was upon him, and by his wounds we are healed. We all, like sheep, have gone astray, each of us has turned to his own way; and the LORD has laid on him the iniquity of us all." [Isaiah 53:5-6] -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20100520/7560765a/attachment.htm>
Received on Wednesday, 19 May 2010 16:32:05 UTC