[Bug 8849] The ability for an author to completely disable javascript on their webpage - an html scripts="no" attribute from bugzilla@wiggum.w3.org on 2010-01-31 (public-html-bugzilla@w3.org from January 2010)

From: <bugzilla@wiggum.w3.org>
Date: Sun, 31 Jan 2010 21:03:46 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1NbgxO-00053M-N6@wiggum.w3.org>

http://www.w3.org/Bugs/Public/show_bug.cgi?id=8849


Tab Atkins Jr. <jackalmage@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jackalmage@gmail.com




--- Comment #1 from Tab Atkins Jr. <jackalmage@gmail.com>  2010-01-31 21:03:46 ---
We already have a mechanism for turning off scripts in @sandbox.  This also
lets you apply more fine control than just shutting off scripts entirely.

Putting an entire page into sandbox mode is an interesting idea.  By itself, it
doesn't work - <html sandbox> fails open in legacy browsers.  But if you then
serve that page with text/html-sandboxed mimetype, it would have all the
behaviors we want.  It would fail closed in legacy browsers, and give you full
sandboxing control over the entire page.

So, counter-proposal!  Allow @sandbox on <html>.  Recommend that it be served
with text/html-sandboxed to prevent unwanted execution in legacy clients.


-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

Received on Sunday, 31 January 2010 21:03:48 UTC