- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Sat, 16 Jan 2010 21:54:33 -0500
- To: "Michael A. Puls II" <shadow2531@gmail.com>
- CC: public-html WG <public-html@w3.org>
On 1/16/10 8:54 PM, Michael A. Puls II wrote: > <!DOCTYPE html> > <html> > <head> > <meta charset="utf-8"> > <title></title> > </head> > <body> > <iframe doc='<!DOCTYPE html> > <html> > <head> > <meta charset="utf-8"> > <title>test</title> > </head> > <body> > <p>test</p> > </body> > </html>'></iframe> > </body> > </html> Try this in a Gecko-based browser: <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title></title> </head> <body> <iframe src='data:text/html,<!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>test</title> </head> <body> <p>test</p> </body> </html>'></iframe> </body> </html> Yes, that's technically not a valid data: URI. Perhaps it's worth just making it valid? > @doc is way more readable (the @ value at least), easier to author by > hand, and tends to use less bytes than data URIs (although that might > depend on how much you have to use entities so the markup doesn't break > out of the attribute). The data: URI as used above will of course always use a few more bytes for the "data:text/html," part... > But, as far as security, I don't remember what @doc has over > @src="data:". I think it was mentioned though and had something to do > with origin problems with src="data:". Specifically that some current UAs put src="data:" in the origin of the parent page? -Boris
Received on Sunday, 17 January 2010 02:55:13 UTC