On Mon, Jan 25, 2010 at 4:49 AM, Maciej Stachowiak <mjs@apple.com> wrote: > On Jan 24, 2010, at 8:45 PM, Adam Barth wrote: >> The problem with that approach is that authors will have a difficult >> time predicting how user agents will behave. Perhaps a more >> operational definition is in order? We could say that sandboxed >> content will not be able to use the <object> or <embed> elements >> (including the implied versions that can be created via frames). > > You would also want to banish <applent> in that case. Are we ok with sandboxed content embedding unusual things via <img>, <video> or <audio> if the browser supports that? Safari supports PDF in the <img> element, and also as a CSS background image. Those seem fine. Of course, a user agent could do something insane with <img>, <video>, or <audio>, but then that user agent would likely introduce security vulnerabilities into web sites (such as forums) that let users embed <img> elements with (almost!) arbitrary src attributes. AdamReceived on Monday, 25 January 2010 04:59:43 UTC
This archive was generated by hypermail 2.4.0 : Saturday, 9 October 2021 18:45:08 UTC