text/sandboxed-html from Ian Hickson on 2010-01-13 (public-html@w3.org from January 2010)

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 13 Jan 2010 01:51:49 +0000 (UTC)
To: public-html@w3.org
Cc: public-web-security@w3.org
Message-ID: <Pine.LNX.4.62.1001130142100.17804@hixie.dreamhostps.com>

In response to implementor feedback regarding the sandbox="" feature of 
<iframe> in the WHATWG list [1], and based in part on a 2007 research 
paper from Microsoft [2], I have introduced a new MIME type for HTML 
(text/sandboxed-html) that is identical to text/html in every way except 
one critical aspect: resources served with this MIME type are forced into 
a unique security origin context.

This feature can also be used with <iframe sandbox=""> to force the 
desired behaviour in legacy UAs -- fallback to either no sandbox is 
possible as before (for the case where sandbox="" is being used for 
defence-in-depth), and fallback to load failure is now possible by serving 
the content with this type (for the case where legacy UAs are not intended 
to be supported and sandbox="" is being used for first-line security).

This is somewhat experimental, and so feedback (especially implementor 
feedback) regarding this proposal is encouraged.
   
[1] http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2010-January/024732.html
[2] http://research.microsoft.com/en-us/um/people/helenw/papers/sosp07MashupOS.pdf

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Wednesday, 13 January 2010 01:52:19 UTC