One advantage of @doc over @src=data is that setting @doc via the DOM is pretty idiot-proof: window.addEventListener("message", function (evt) { var ifr = makeMeAnIframe(); ifr.sandbox = "allow-scripts"; ifr.doc = evt.data; }, false); Adam On Sun, Jan 17, 2010 at 9:55 AM, Lachlan Hunt <lachlan.hunt@lachy.id.au> wrote: > Ian Hickson wrote: >> >> - data: attributes require more escaping >> - the definition of 'origin' for data: attributes isn't fully stable >> - using data: has the wrong fallback story (it fails open, instead of >> closed) > > While this doesn't address the first two points, the fallback story can be > somewhat improved by using text/html-sandboxed: > > <iframe src="data:text/html-sandboxed,<!DOCTYPE html><p>test"></iframe> > > The fallback for this is then the same as for using text/html-sandboxed over > HTTP, which admittedly has its own set of problems in current browsers. > > -- > Lachlan Hunt - Opera Software > http://lachy.id.au/ > http://www.opera.com/ > >Received on Sunday, 17 January 2010 18:19:06 UTC
This archive was generated by hypermail 2.4.0 : Saturday, 9 October 2021 18:45:07 UTC