W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > August 2011

[Bug 13599] Remove srcdoc attribute on iframe

From: <bugzilla@jessica.w3.org>
Date: Wed, 03 Aug 2011 19:18:28 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1QogxY-0001G0-1E@jessica.w3.org>
http://www.w3.org/Bugs/Public/show_bug.cgi?id=13599

--- Comment #3 from Tab Atkins Jr. <jackalmage@gmail.com> 2011-08-03 19:18:27 UTC ---
(In reply to comment #2)
> Despite the conversations on the lists, I still agree with Jirka that this
> feature increases the attack surface area by requiring the markup to be
> correctly escaped.  No browsers implement this yet, I'd like to see this
> removed from the spec. I think the risk outweighs the functionality (for most
> of which there are other simple ways to implement the functionality).

Can you give an example of another way to safely embed third-party content in a
page without incurring a network request per piece of content, and explain how
it's easier or simpler to use than @srcdoc?  I believe the on-list
conversations were fairly exhaustive.

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Wednesday, 3 August 2011 19:18:33 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 16:31:16 UTC