W3C home > Mailing lists > Public > public-html@w3.org > January 2010

Re: <iframe doc="">

From: Karl Dubost <karl+w3c@la-grange.net>
Date: Sat, 16 Jan 2010 08:42:12 -0500
Message-Id: <EC1B743B-6D93-42FA-9634-54E22A54A782@la-grange.net>
Cc: public-html@w3.org
To: Smylers <Smylers@stripey.com>

Le 16 janv. 2010 à 05:23, Smylers a écrit :
> Julian Reschke writes:
>> How about adding one level of indirection?
>>          <iframe seamless sandbox="allow-scripts allow-forms"  
>> doc="#x"> </iframe> 
>>          ...
>>          <span id=x> <a href='#' onclick='alert(document.cookie)'> Click  
>> here</a> </span> 
> Wouldn't that have the security problem that a browser which doesn't
> know about sandbox will just have that content as a normal part of the
> page, unsandboxed?

An element <sandbox> could raise the level but not that much and would not solved the issue you are mentionning.

> (Whereas using the attribute, a non-sandbox-supporting browser will
> simply ignore the attribute.  The content won't render; which obviously isn't ideal, but it's preferably to being insecure.)

That's a good point, and I was wondering how old browsers would be coping with this construct. (IE6, Netscape 4.5, etc.)

It is also very fragile in terms of authoring, double quotes and single quotes, will introduce many errors. 

Karl Dubost
Montréal, QC, Canada
Received on Saturday, 16 January 2010 13:42:18 UTC

This archive was generated by hypermail 2.4.0 : Saturday, 9 October 2021 18:45:07 UTC