Re: <iframe doc="">

Smylers wrote:
> Julian Reschke writes:
>> Ian Hickson wrote:
>>>           <iframe seamless sandbox="allow-scripts allow-forms" doc="
>>>             Read my blog!
>>>             <a href='#' onclick='alert(document.cookie)'> Click here</a> 
>>>           "> </iframe> 
>> I thought markup in attributes was a super-anti-pattern.
>> How about adding one level of indirection?
>>           <iframe seamless sandbox="allow-scripts allow-forms"  
>> doc="#x"> </iframe> 
>>           ...
>>           <span id=x> <a href='#' onclick='alert(document.cookie)'> Click  
>> here</a> </span> 
> Wouldn't that have the security problem that a browser which doesn't
> know about sandbox will just have that content as a normal part of the
> page, unsandboxed?

Indeed. I misunderstood the use case.

> (Whereas using the attribute, a non-sandbox-supporting browser will
> simply ignore the attribute.  The content won't render; which obviously
> isn't ideal, but it's preferably to being insecure.)

Putting markup into attributes is very ugly, so it appears to be 
sub-optimal to add a way to do so.

Isn't a URI in the "data" scheme sufficient for this use case?

Best regards, Julian

Received on Saturday, 16 January 2010 17:45:22 UTC