Re: <iframe doc="">

Le 16 janv. 2010 à 05:23, Smylers a écrit :
> Julian Reschke writes:
>> How about adding one level of indirection?
>>          <iframe seamless sandbox="allow-scripts allow-forms"  
>> doc="#x"> </iframe> 
>>          ...
>>          <span id=x> <a href='#' onclick='alert(document.cookie)'> Click  
>> here</a> </span> 
> Wouldn't that have the security problem that a browser which doesn't
> know about sandbox will just have that content as a normal part of the
> page, unsandboxed?

An element <sandbox> could raise the level but not that much and would not solved the issue you are mentionning.

> (Whereas using the attribute, a non-sandbox-supporting browser will
> simply ignore the attribute.  The content won't render; which obviously isn't ideal, but it's preferably to being insecure.)

That's a good point, and I was wondering how old browsers would be coping with this construct. (IE6, Netscape 4.5, etc.)

It is also very fragile in terms of authoring, double quotes and single quotes, will introduce many errors. 

Karl Dubost
Montréal, QC, Canada

Received on Saturday, 16 January 2010 13:42:18 UTC