Re: <iframe doc="">

On Sat, 16 Jan 2010, Julian Reschke wrote:
> Ian Hickson wrote:
> > On Fri, 15 Jan 2010, Karl Dubost wrote:
> > > Le 12 janv. 2010 à 20:58, Ian Hickson a écrit :
> > > > Maciej, I will be adding a specification for the oft-discussed doc=""
> > > > attribute on <iframe> to the HTML5 spec in the near future.
> > > Would it be possible to have a markup example? (I mean the content of the
> > > attribute).
> > 
> > The details depend on ongoing discussions, but e.g.:
> > 
> >           <iframe seamless sandbox="allow-scripts allow-forms" doc="
> >             Read my blog!
> >             <a href='#' onclick='alert(document.cookie)'>Click here</a>
> >           "></iframe>
> 
> I thought markup in attributes was a super-anti-pattern.

Markup in attributes has it's disadvantages, but it's not necessarily a 
problem. data: URLs of HTML resources are a common case of markup in an 
attribute that seems to work ok; it is in fact the inspiration for doc="". 
The main problems with data: attributes in this context are:

 - data: attributes require more escaping
 - the definition of 'origin' for data: attributes isn't fully stable
 - using data: has the wrong fallback story (it fails open, instead of 
   closed)


> How about adding one level of indirection?
> 
>           <iframe seamless sandbox="allow-scripts allow-forms"
> doc="#x"></iframe>
> 
>           ...
> 
>           <span id=x><a href='#' onclick='alert(document.cookie)'>Click
> here</a></span>

Indirection has proved very confusing for authors (that's one of the 
problems with xmlns=""), and the security story here doesn't seem ideal 
either. Ideally we'd want something that can be used in a way where 
fallback is provided in a securable fashion even in legacy UAs.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'