- From: HTML Weekly Issue Tracker <sysbot+tracker@w3.org>
- Date: Thu, 23 Jun 2011 16:23:01 +0000
- To: public-html-wg-issue-tracking@w3.org
HTML-ISSUE-166 (html-sandboxed): text/html-sandboxed does not always fail closed [HTML 5 spec] http://www.w3.org/html/wg/tracker/issues/166 Raised by: Adrian Bateman On product: HTML 5 spec This issue was raised on behalf of Jacob Rossi. The current spec includes a text/html-sandboxed MIME type to mitigate a scenario where a sandboxed iframe can be escaped by top level navigation to the content (thereby escaping the origin protections). It's designed with the intention of failing closed in non-supporting UAs. However, there are cases where this design will not work (IE6 as an example). Because sandbox is a defense in-depth feature, we need a solution to this scenario which also appears as defense in-depth--this suggests failing open. Our suggestion was a MIME type attribute such as text/html;sandboxed. It would behave the same as text/html-sandboxed except that non-supporting UAs would render it without restrictions (exactly as the sandbox iframe attribute behaves). Additionally, this has the benefit of allowing content other than text/html to be sandboxed by the server (e.g., image/svg+xml;sandboxed). See the associated bug for details: http://www.w3.org/Bugs/Public/show_bug.cgi?id=12390
Received on Thursday, 23 June 2011 16:23:02 UTC