- From: Ian Hickson <ian@hixie.ch>
- Date: Fri, 13 Feb 2009 21:54:51 +0000 (UTC)
- To: Martin Atkins <mart@degeneration.co.uk>
- Cc: HTMLWG <public-html@w3.org>, whatwg <whatwg@whatwg.org>
(Please pick one mailing list when replying, so as to reduce cross-posting.) On Thu, 22 May 2008, Martin Atkins wrote: > > > > * I've added a sandbox="" attribute to <iframe>, which by default > > disables a number of features and takes a space-separated list of > > features to re-enable: > > Unless I'm missing something, this attribute is useless in practice > because legacy browsers will not impose the restrictions. This means > that as long as legacy browsers exist (i.e. forever) server-side > filtering must still be employed to duplicate the effects of the > sandbox. > > One alternative would be to use a different element name so that > fallback content can be provided for legacy browsers. In the short term, > this is likely to be something like this: > > <sandbox src="/comments/blah"> > <iframe src="/comments/blah?do-security-filtering=1"></iframe> > </sandbox> > > Once a large percentage of browsers support <sandbox> authors can start > to be less accommodating with their fallback content, either by > filtering out HTML tags entirely (which I'd assume is easier than just > filtering out script) or at the extreme just setting the fallback > content to be "Your browser is not supported". One can just do: <iframe sandbox src="/comments/blah?do-security-filtering=1"></iframe> The "sandbox" feature just provides one more level of defence in depth, and is not intended to be a complete security solution. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 13 February 2009 22:06:53 UTC