- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Fri, 15 Jan 2010 20:03:00 +0100
- To: Maciej Stachowiak <mjs@apple.com>
- CC: Ian Hickson <ian@hixie.ch>, public-html@w3.org, public-web-security@w3.org
Maciej Stachowiak wrote: > > On Jan 15, 2010, at 5:33 AM, Julian Reschke wrote: > >> Ian Hickson wrote: >>> In response to implementor feedback regarding the sandbox="" feature >>> of <iframe> in the WHATWG list [1], and based in part on a 2007 >>> research paper from Microsoft [2], I have introduced a new MIME type >>> for HTML (text/sandboxed-html) that is identical to text/html in >>> every way except one critical aspect: resources served with this MIME >>> type are forced into a unique security origin context. >>> ... >> >> For symmetry, we should also have >> >> application/xhtml-sandboxed+xml >> >> right? > > This actually would not have the desired behavior in legacy UAs, because > many (well, at least WebKit-based ones) will recognize any MIME type > ending in +xm as an XML type and will parse it as such. > ... Well, parsing it isn't a problem; right? Do they do more (sniff the namespace?). BR, Julian
Received on Friday, 15 January 2010 19:03:41 UTC