I don't understand why you think object/embed provides more security than iframe. When you load HTML into an object/embed, what you get is exactly the same as an iframe. Adam On Mon, Jan 18, 2010 at 8:11 AM, Joe D Williams <joedwil@earthlink.net> wrote: > I hit the button a bit early (or way too late) but the main point was to be > that there has to be a better way that will stand the test of whether all > features of html5 remain available to the xml community and specifically to > the author that needs to move from text/html to application/xhtml+xml. > > That said, an even bigger point is that while I totally support predictable > and authorable security enhancements to <iframe> it seems like we should > really try to do it inside the rails. It is no accident that attrs are > intended for final data values, not element content. That just makes it > easier for mere mortals to work with. Just as an example, consider looking > at this as three levels of security: an ordinary <div> that is an element in > the DOM and fully accessible; an <iframe> which is intended for importing > interactive html and may or may not produce authorable elements in the host > DOM depending upon UA defaults and author's declarations; and > <embed>/<object> which are designed to allow secure operation of an > 'external' but connected execution context with carefully defined scriptable > interfaces to the host DOM. > Needless to say the security techniques employed for <embed> and <object> > may not be appropriate for <iframe>, still there are similarities that > should be explored before diving into the user code bozungle of html/xml > attributes as content. > > Thanks Again and Best Regards, > Joe > > >Received on Monday, 18 January 2010 17:50:16 UTC
This archive was generated by hypermail 2.4.0 : Saturday, 9 October 2021 18:45:07 UTC