> > > That security issue is completely independent from XSS, which is where > client-side scripts are inserted into user generated content which, when > subsequently output by the server in the page and viewed by other users, > execute in the browser with the same origin, and thus priviliges, as a > normal script inserted by the page owner would have. > > http://en.wikipedia.org/wiki/Cross-site_scripting > > Sandboxing in this context in an additional layer of protection against > XSS. It's a signal to the browser that it should not permit, for example, > the execution of scripts, or to allow scripts but resrict their access in > specific ways (depending on the sandbox attribute's value). > Let me ask you something else Lachlan: is there any CMS, such as Wordpress or Drupal, or any other application in the entire world that wants to let you store a comment with a script injection into the database? The srcdoc attribute is attempting to solve a problem that's not a browser's to solve. > -- > Lachlan Hunt - Opera Software > Shelley > http://lachy.id.au/ > http://www.opera.com/ >Received on Monday, 25 January 2010 22:18:16 UTC
This archive was generated by hypermail 2.4.0 : Saturday, 9 October 2021 18:45:08 UTC