- From: Joe D Williams <joedwil@earthlink.net>
- Date: Mon, 18 Jan 2010 08:11:07 -0800
- To: "Joe D Williams" <joedwil@earthlink.net>, "Henri Sivonen" <hsivonen@iki.fi>, <public-html@w3.org>
I hit the button a bit early (or way too late) but the main point was to be that there has to be a better way that will stand the test of whether all features of html5 remain available to the xml community and specifically to the author that needs to move from text/html to application/xhtml+xml. That said, an even bigger point is that while I totally support predictable and authorable security enhancements to <iframe> it seems like we should really try to do it inside the rails. It is no accident that attrs are intended for final data values, not element content. That just makes it easier for mere mortals to work with. Just as an example, consider looking at this as three levels of security: an ordinary <div> that is an element in the DOM and fully accessible; an <iframe> which is intended for importing interactive html and may or may not produce authorable elements in the host DOM depending upon UA defaults and author's declarations; and <embed>/<object> which are designed to allow secure operation of an 'external' but connected execution context with carefully defined scriptable interfaces to the host DOM. Needless to say the security techniques employed for <embed> and <object> may not be appropriate for <iframe>, still there are similarities that should be explored before diving into the user code bozungle of html/xml attributes as content. Thanks Again and Best Regards, Joe
Received on Monday, 18 January 2010 16:13:07 UTC