Re: <iframe doc=""> from Tab Atkins Jr. on 2010-01-25 (public-html@w3.org from January 2010)

From: Tab Atkins Jr. <jackalmage@gmail.com>
Date: Mon, 25 Jan 2010 09:20:11 -0600
To: Shelley Powers <shelley.just@gmail.com>
Cc: Maciej Stachowiak <mjs@apple.com>, Lars Gunther <gunther@keryx.se>, "public-html@w3.org WG" <public-html@w3.org>
Message-ID: <dd0fbad1001250720l543477c6y69383493ef5cee83@mail.gmail.com>

On Mon, Jan 25, 2010 at 9:07 AM, Shelley Powers <shelley.just@gmail.com> wrote:
> So, what you're saying is that this change really won't do much when it
> comes to weblog comments?

I said nothing of the sort.  Please don't be disingenuous when
interpreting comments.  Your list of issues contained:
• 2 issues that have nothing to do with displaying untrusted content,
and thus are completely irrelevant to the discussion
• 2 issues about blocking particular types of elements, which may be
possible with @sandbox if it's argued persuasively that it would be
worthwhile
• 1 issue about XHTML that would be great to fix, but the XHTML
community has continually had major pushback on whenever browsers have
wanted to fix it (it's not a problem for HTML pages)
• 1 reasonable question that I answered, but which doesn't have any
direct relevance on @sandbox
• 1 reasonable concern that didn't take into account relevant
information, which I corrected

So, there are some areas where we could possibly add more protection
with @sandbox.  None of your issues touched on the important areas
that @sandbox already *does* cover, though.  In other words, please
don't think of your list as exhaustive.  Most it wasn't relevant to
@sandbox at all, and the parts that were relevant only addressed
particular use-cases, which is far from enough to declare that
@sandbox "won't do much".

> No, I'm still talking about srcdoc, since that was the change that Ian
> added, and the use case Ian provided was weblog comments. If the discussion
> indirectly impacts on sandbox, and the only reason for the sandbox attribute
> was weblog comments, then we can discuss that one, too.

But you're *not* talking about @srcdoc.  Not a single thing in your
last few emails concerned @srcdoc at all.  You're talking entirely
about @sandbox.

Do you have any specific concerns about @srcdoc?  It would be good to
hear them instead, so you don't accidentally file a bug to remove
@srcdoc and cite only problems you have with @sandbox instead.  It
would be nice if all bugs filed were over relevant and topical
concerns.

~TJ

Received on Monday, 25 January 2010 15:21:03 UTC