[Bug 13599] New: Remove srcdoc attribute on iframe from bugzilla@jessica.w3.org on 2011-08-03 (public-html-bugzilla@w3.org from August 2011)

From: <bugzilla@jessica.w3.org>
Date: Wed, 03 Aug 2011 08:37:25 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-13599-2486@http.www.w3.org/Bugs/Public/>

http://www.w3.org/Bugs/Public/show_bug.cgi?id=13599

           Summary: Remove srcdoc attribute on iframe
           Product: HTML WG
           Version: unspecified
          Platform: PC
        OS/Version: Windows NT
            Status: NEW
          Severity: normal
          Priority: P2
         Component: HTML5 spec (editor: Ian Hickson)
        AssignedTo: ian@hixie.ch
        ReportedBy: jirka@kosek.cz
         QAContact: public-html-bugzilla@w3.org
                CC: mike@w3.org, public-html-wg-issue-tracking@w3.org,
                    public-html@w3.org


Although srcdoc might be seen as a security improvement, it actually isn't. It
adds another layer of escaping markup which can lead to errors. Especially in
situations where srcdoc document will contain anorher iframe with src.

If there is need for srcdoc functionality, then such functionality should be
based on element not on attribute where escaping of markup is necessary.

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

Received on Wednesday, 3 August 2011 08:37:26 UTC