- From: Smylers <Smylers@stripey.com>
- Date: Sat, 16 Jan 2010 10:23:58 +0000
- To: public-html@w3.org
Julian Reschke writes: > Ian Hickson wrote: > > > <iframe seamless sandbox="allow-scripts allow-forms" doc=" > > Read my blog! > > <a href='#' onclick='alert(document.cookie)'> Click here</a> > > "> </iframe> > > I thought markup in attributes was a super-anti-pattern. > > How about adding one level of indirection? > > <iframe seamless sandbox="allow-scripts allow-forms" > doc="#x"> </iframe> > > ... > > <span id=x> <a href='#' onclick='alert(document.cookie)'> Click > here</a> </span> Wouldn't that have the security problem that a browser which doesn't know about sandbox will just have that content as a normal part of the page, unsandboxed? (Whereas using the attribute, a non-sandbox-supporting browser will simply ignore the attribute. The content won't render; which obviously isn't ideal, but it's preferably to being insecure.) Smylers -- Watch fiendish TV quiz 'Only Connect' (some questions by me) Mondays at 20:30 on BBC4, or iPlayer: http://www.bbc.co.uk/programmes/b00lskhg
Received on Saturday, 16 January 2010 10:24:29 UTC