Re: <iframe doc="">

I don't understand why you think object/embed provides more security
than iframe.  When you load HTML into an object/embed, what you get is
exactly the same as an iframe.


On Mon, Jan 18, 2010 at 8:11 AM, Joe D Williams <> wrote:
> I hit the button a bit early (or way too late) but the main point was to be
> that there has to be a better way that will stand the test of whether all
> features of html5 remain available to the xml community and specifically to
> the author that needs to move from text/html to application/xhtml+xml.
> That said, an even bigger point is that while I totally support predictable
> and authorable security enhancements to <iframe> it seems like we should
> really try to do it inside the rails. It is no accident that attrs are
> intended for final data values, not element content. That just makes it
> easier for mere mortals to work with. Just as an example, consider looking
> at this as three levels of security: an ordinary <div> that is an element in
> the DOM and fully accessible; an <iframe> which is intended for importing
> interactive html and may or may not produce authorable elements in the host
> DOM depending upon UA defaults and author's declarations; and
> <embed>/<object> which are designed to allow secure operation of an
> 'external' but connected execution context with carefully defined scriptable
> interfaces to the host DOM.
> Needless to say the security techniques employed for <embed> and <object>
> may not be appropriate for <iframe>, still there are similarities that
> should be explored before diving into the user code bozungle of html/xml
> attributes as content.
> Thanks Again and Best Regards,
> Joe

Received on Monday, 18 January 2010 17:50:16 UTC