Re: Issue 100 Zero-Edits Counter Proposal from Tab Atkins Jr. on 2010-04-14 (public-html@w3.org from April 2010)

From: Tab Atkins Jr. <jackalmage@gmail.com>
Date: Wed, 14 Apr 2010 15:01:24 -0700
To: Shelley Powers <shelley.just@gmail.com>
Cc: Julian Reschke <julian.reschke@gmx.de>, public-html@w3.org
Message-ID: <i2qdd0fbad1004141501t32c11f81of4125569fb78ea2d@mail.gmail.com>

On Tue, Apr 13, 2010 at 9:53 PM, Shelley Powers <shelley.just@gmail.com> wrote:
> I'm assuming that there are more use cases, and more target
> communities, for sandboxing other than just weblogging comments and
> webloggers. However, the only purpose given for srcdoc was weblogging
> comments and webloggers, and that was the only one I addressed. I
> don't feel comfortable speaking for an entire community of people, but
> I believe that Matt Mullenweg's response,  recorded in the change
> proposal, was a good indicator that the community isn't interested,
> and is very unlikely to use the attribute.

I didn't bring this up before, but Wordpress has a *long history* of
XSS vulnerabilities caused by bad escaping/sanitizing/etc.  If they've
finally got a handle on it, great.  That's awesome.  But, as I keep
saying, they're an organization with time and effort to spend on this.
 And even with that sort of time and effort, they still got it
dangerously wrong many, many times before they, hopefully, finally did
things correctly.  And they still could possibly have holes, if new
capabilities are added in the future that their sanitizers don't
account for.

If regularly-updated Wordpress blogs don't require the sandbox
security model to protect themselves, that's fine.  But that doesn't
say anything about:

1. Infrequently updated Wordpress blogs
2. Blogs using some other blogging platform that don't share
Wordpress's sanitation library
3. Blogs written by hand by an author
4. Any other system that wishes to display user-generated content
(retrieved locally, and thus possible to put into the page directly,
rather than requiring a network request) under the constraints of the
sandbox security model.

> Now, others may think all of sandboxing is bad, but they should submit
> a bug, accordingly.

Half or more of your Change Proposal rationale is arguing that all of
sandboxing is bad (most particularly, the part arguing that authors
are too stupid to realize that using <iframe srcdoc sandbox> to
display comments on their blog won't protect them against SQL
injection when handling form submission of new comments).  I would
appreciate it if you would remove those sections and file bugs
accordingly.

~TJ

Received on Wednesday, 14 April 2010 22:02:16 UTC