Re: <iframe doc="">

Julian Reschke writes:

> Ian Hickson wrote:
> 
> >           <iframe seamless sandbox="allow-scripts allow-forms" doc="
> >             Read my blog!
> >             <a href='#' onclick='alert(document.cookie)'> Click here</a> 
> >           "> </iframe> 
> 
> I thought markup in attributes was a super-anti-pattern.
> 
> How about adding one level of indirection?
> 
>           <iframe seamless sandbox="allow-scripts allow-forms"  
> doc="#x"> </iframe> 
> 
>           ...
> 
>           <span id=x> <a href='#' onclick='alert(document.cookie)'> Click  
> here</a> </span> 

Wouldn't that have the security problem that a browser which doesn't
know about sandbox will just have that content as a normal part of the
page, unsandboxed?

(Whereas using the attribute, a non-sandbox-supporting browser will
simply ignore the attribute.  The content won't render; which obviously
isn't ideal, but it's preferably to being insecure.)

Smylers
-- 
Watch fiendish TV quiz 'Only Connect' (some questions by me)
Mondays at 20:30 on BBC4, or iPlayer: http://www.bbc.co.uk/programmes/b00lskhg

Received on Saturday, 16 January 2010 10:24:29 UTC