- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 18 Jan 2010 09:49:24 -0800
- To: Joe D Williams <joedwil@earthlink.net>
- Cc: Henri Sivonen <hsivonen@iki.fi>, public-html@w3.org
I don't understand why you think object/embed provides more security than iframe. When you load HTML into an object/embed, what you get is exactly the same as an iframe. Adam On Mon, Jan 18, 2010 at 8:11 AM, Joe D Williams <joedwil@earthlink.net> wrote: > I hit the button a bit early (or way too late) but the main point was to be > that there has to be a better way that will stand the test of whether all > features of html5 remain available to the xml community and specifically to > the author that needs to move from text/html to application/xhtml+xml. > > That said, an even bigger point is that while I totally support predictable > and authorable security enhancements to <iframe> it seems like we should > really try to do it inside the rails. It is no accident that attrs are > intended for final data values, not element content. That just makes it > easier for mere mortals to work with. Just as an example, consider looking > at this as three levels of security: an ordinary <div> that is an element in > the DOM and fully accessible; an <iframe> which is intended for importing > interactive html and may or may not produce authorable elements in the host > DOM depending upon UA defaults and author's declarations; and > <embed>/<object> which are designed to allow secure operation of an > 'external' but connected execution context with carefully defined scriptable > interfaces to the host DOM. > Needless to say the security techniques employed for <embed> and <object> > may not be appropriate for <iframe>, still there are similarities that > should be explored before diving into the user code bozungle of html/xml > attributes as content. > > Thanks Again and Best Regards, > Joe > > >
Received on Monday, 18 January 2010 17:50:16 UTC