- From: Adam Barth <whatwg@adambarth.com>
- Date: Fri, 13 Feb 2009 15:50:42 -0800
- To: Ian Hickson <ian@hixie.ch>
- Cc: Boris Zbarsky <bzbarsky@mit.edu>, whatwg <whatwg@whatwg.org>, HTMLWG <public-html@w3.org>
On Fri, Feb 13, 2009 at 3:06 PM, Ian Hickson <ian@hixie.ch> wrote: > Indeed. If someone can come up with a way of making this work in legacy > UAs, I'd certainly be happy to change the spec to do that. Here's a suggestion. When requesting the contents of a sandboxed iframe, send an HTTP header that contains the sandbox policy: X-HTML-Sandbox-Policy: allow-forms, allow-scripts Servers can decide not to serve untrusted content if they don't see a sandbox policy they like. Adam
Received on Saturday, 14 February 2009 14:32:44 UTC