Re: <iframe doc="">

On 25 Jan 2010, at 15:28, Shelley Powers wrote:

> I'm not being disingenuous. And I ask you to remember to be civil in  
> responding to me. I also ask that you stop dictating how and in what  
> way I can bring up concerns.

The concerns you brought[1] were mostly issues unrelated/orthogonal to  
@srcdoc, and some appeared to be strawman arguments (it should be  
obvious to members of this group that HTML is unable to effectively  
prevent spam or server-side SQL injection).

> So I am trying to understand the purpose of this change, and who Ian  
> perceives to be the customer for this change. These are appropriate  
> questions to ask: we can not determine the technical merit of a  
> solution unless we have an understanding of all the particulars.

To understand this you must first understand relationship between  
@srcdoc with @sandbox. You seem to be debating merit of @sandbox, but  
insisting that it is issue of @srcdoc.

Sandbox for comments and ads might still be implemented without  
@srcdoc, for example with src="data:text/html-sandboxed," or external  
file with appropriate MIME type. Do you oppose inclusion of markup in  
@srcdoc attribute (which is one of the options, mainly for authors'  
convenience), or any use of <iframe> for sandboxing of content?

> Adam now has stated this change wasn't to do with comments, but ads.  
> Or not only to do with comments, but also to do with ads. That is an  
> entirely different thing: different customers, different uses,  
> different concerns, different technical challenges.

This is not entirely different thing. Both are examples of untrusted  
markup that would be useful to include inline in the page, without  
risk of XSS and need for very complicated sanitisation.

regards, Kornel


Received on Monday, 25 January 2010 16:25:16 UTC