RE: HTML interpreter vs. HTML user agent from Larry Masinter on 2009-05-31 (public-html@w3.org from May 2009)

From: Larry Masinter <masinter@adobe.com>
Date: Sun, 31 May 2009 11:04:46 -0700
To: Ian Hickson <ian@hixie.ch>
CC: HTML WG <public-html@w3.org>
Message-ID: <8B62A039C620904E92F1233570534C9B0118CD95EC7E@nambx04.corp.adobe.com>

Not sure I understand -- does web mail have to turn off scripting?

Is the only HTML that is suitable for transmission by email to
a web mail user one that doesn't rely on scripting?

How can I email HTML which uses <canvas>, if scripting is turned
off for web mail users?

Larry
--
http://larry.masinter.net


-----Original Message-----
From: Ian Hickson [mailto:ian@hixie.ch] 
Sent: Sunday, May 31, 2009 10:58 AM
To: Larry Masinter
Cc: HTML WG
Subject: RE: HTML interpreter vs. HTML user agent

On Sun, 31 May 2009, Larry Masinter wrote:
> About Safari's feed reader, Maciej wrote:
> 
> > 2) We can also display a user-selected collection of feeds as one  
> > document, again displayed as HTML.
> > 3) We don't execute any script that came from the feed in the context  
> > of generated HTML document. At the very least due to point #2 this  
> > would be insecure.
> > 4) We don't let any web page access the contents of the generated HTML  
> > document via script.
> 
> Doesn't this somehow create a "restricted HTML" which is allowed in
> a feed? The HTML in a feed can't be scripted at all? Or the scripts
> can't access the HTML of their subsection?
> 
> I was wondering how HTML-in-webmail could work, since the HTML of
> the mail needs to be embedded in the HTML of the webmail client itself.
> 
> Where in the HTML spec is this addressed?

Just turning off scripting is just a matter of setting "scripting is 
disabled":

   http://www.whatwg.org/specs/web-apps/current-work/#concept-bc-script

One could leverage the sandbox features to disable forms, plugins, 
navigation of other browsing contexts, and to make the origin appear to be 
a unique origin:

   http://www.whatwg.org/specs/web-apps/current-work/#attr-iframe-sandbox

...though that's not been requested by implementors so far.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Sunday, 31 May 2009 18:05:25 UTC