Re: <iframe doc="">

On Sun, Jan 24, 2010 at 2:06 PM, Julian Reschke <julian.reschke@gmx.de> wrote:
> Tab Atkins Jr. wrote:
>>
>> ...
>> If I had to write it by hand, of course I wouldn't be happy.  That's
>> not what it's for.  If I'm writing it by hand I can skip the <iframes>
>> entirely, because I know what I'm writing and thus don't need to
>> protect myself against myself.  This sort of stuff is meant to be
>> generated by code, like this:
>> ...
>
> Indeed.
>
> And that code could also produce properly escaped data URIs.
>
> Can we please try harder to avoid introducing another attribute, and fix the
> problem we have with data URIs instead?

I'm not certain what the security implications are of missing certain
parts of a data URI's more complex escaping.  Are there any surprising
ones?  Or do the standard url-escaping functions built into basically
all programming languages cover it completely?

The main problem with data URIs, as I understand it, is that they are
defined to have a unique origin, regardless of @sandbox directives.
*Is* this something that can be easily changed?  What are the
implications of doing so?

~TJ

Received on Sunday, 24 January 2010 20:17:09 UTC