W3C home > Mailing lists > Public > public-html@w3.org > January 2010

Re: <iframe doc="">

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sat, 16 Jan 2010 18:44:41 +0100
Message-ID: <4B51FB09.2040500@gmx.de>
To: public-html@w3.org
Smylers wrote:
> Julian Reschke writes:
> 
>> Ian Hickson wrote:
>>
>>>           <iframe seamless sandbox="allow-scripts allow-forms" doc="
>>>             Read my blog!
>>>             <a href='#' onclick='alert(document.cookie)'> Click here</a> 
>>>           "> </iframe> 
>> I thought markup in attributes was a super-anti-pattern.
>>
>> How about adding one level of indirection?
>>
>>           <iframe seamless sandbox="allow-scripts allow-forms"  
>> doc="#x"> </iframe> 
>>
>>           ...
>>
>>           <span id=x> <a href='#' onclick='alert(document.cookie)'> Click  
>> here</a> </span> 
> 
> Wouldn't that have the security problem that a browser which doesn't
> know about sandbox will just have that content as a normal part of the
> page, unsandboxed?

Indeed. I misunderstood the use case.

> (Whereas using the attribute, a non-sandbox-supporting browser will
> simply ignore the attribute.  The content won't render; which obviously
> isn't ideal, but it's preferably to being insecure.)

Putting markup into attributes is very ugly, so it appears to be 
sub-optimal to add a way to do so.

Isn't a URI in the "data" scheme sufficient for this use case?

Best regards, Julian
Received on Saturday, 16 January 2010 17:45:22 UTC

This archive was generated by hypermail 2.4.0 : Saturday, 9 October 2021 18:45:07 UTC