- From: Ian Hickson <ian@hixie.ch>
- Date: Sun, 31 May 2009 17:58:14 +0000 (UTC)
- To: Larry Masinter <masinter@adobe.com>
- Cc: HTML WG <public-html@w3.org>
On Sun, 31 May 2009, Larry Masinter wrote: > About Safari's feed reader, Maciej wrote: > > > 2) We can also display a user-selected collection of feeds as one > > document, again displayed as HTML. > > 3) We don't execute any script that came from the feed in the context > > of generated HTML document. At the very least due to point #2 this > > would be insecure. > > 4) We don't let any web page access the contents of the generated HTML > > document via script. > > Doesn't this somehow create a "restricted HTML" which is allowed in > a feed? The HTML in a feed can't be scripted at all? Or the scripts > can't access the HTML of their subsection? > > I was wondering how HTML-in-webmail could work, since the HTML of > the mail needs to be embedded in the HTML of the webmail client itself. > > Where in the HTML spec is this addressed? Just turning off scripting is just a matter of setting "scripting is disabled": http://www.whatwg.org/specs/web-apps/current-work/#concept-bc-script One could leverage the sandbox features to disable forms, plugins, navigation of other browsing contexts, and to make the origin appear to be a unique origin: http://www.whatwg.org/specs/web-apps/current-work/#attr-iframe-sandbox ...though that's not been requested by implementors so far. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Sunday, 31 May 2009 17:58:50 UTC