Re: Trying to use <iframe srcdoc= > from Tab Atkins Jr. on 2010-01-25 (public-html@w3.org from January 2010)

From: Tab Atkins Jr. <jackalmage@gmail.com>
Date: Mon, 25 Jan 2010 17:12:30 -0600
To: Gavin Carothers <gavin@carothers.name>
Cc: HTMLwg <public-html@w3.org>
Message-ID: <dd0fbad1001251512r6cba921idda68428f05272f3@mail.gmail.com>

On Mon, Jan 25, 2010 at 5:07 PM, Gavin Carothers <gavin@carothers.name> wrote:
> In order to form a better opinion on how srcdoc might work, I figured
> I'd try it out on a use case that doesn't exactly match the blog
> comments in the spec but is reasonably close.
>
> http://oreilly.com/catalog/errataunconfirmed.csp?isbn=9780596101992
>
> This page allows our customers to enter errata (errors) found in our
> books. Unsurprisingly with a book about Javascript some of the errors
> involve customers entering Javascript code they expect to be displayed
> on the website. An early version of our software had, as one might
> expect,a script injection bug in it. We are currently looking at
> updating said system and looked like a good use case for srcdoc.
>
> I'm afraid I'm not going to be going very far with this:
>
> http://gavin.carothers.name/iframe-srcdoc/iframe-srcdoc.html
>
> Did a quick test by hand for just one entry. The problem should be
> very apparent. No browser today supports srcdoc, and when it fails no
> content is shown on the page. It would be impossible to adopt using
> srcdoc for any content to be shown on a page. While it would be
> possible to do server side UA detection there is little reason to as
> we would have to continue to maintain a server side sandboxing method
> for all current browsers. Given that we would still need to do all the
> sandboxing/escaping/validation work there seems little benefit to
> adding a UA detection mechanism to support this feature.
>
> Am I missing something? This doesn't seem like a place where adding
> iframes with srcdocs via javascript if supported would make any sense
> as the whole point of srcdoc is to avoid the additional HTTP requests.

You can still use @src to point to the comment directly.  A browser
that supports @srcdoc will ignore the @src.

The important thing, though, is to feature-test for @sandbox support,
as that's the relevant part.  In general, using <iframe>s for this
sort of thing won't be feasible for a few years, until all relevant
browsers support @sandbox.

~TJ

Received on Monday, 25 January 2010 23:13:19 UTC