Re: Trying to use <iframe srcdoc= >

On Jan 25, 2010, at 3:45 PM, Gavin Carothers wrote:

> On Mon, Jan 25, 2010 at 3:35 PM, Gavin Carothers <gavin@carothers.name> wrote:
> 
> Question for browser implementers:
> 
> Currently sandbox is tied to iframe in the spec, is that strictly
> necessary? Would it be possible to implement @sandbox in such a way
> that it could be used on a div/article/p?
> 
> eg:
> <div sandbox="allow-same-origin">
> <p>javascript:x = 3; (x &gt; 5)? "x is less": "x is greater"<br>
> should be:<br>
> javascript:x = 3; (x &gt; 5)? "x is greater" : "x is less"<br>
> </p>
> </div>

There's two problems with this:

1) It's easy to break out of the <div> here  prematurely with mistmatched tags - sanitizing markup to fully defend against that is hard. Though some have suggested inline sandboxing that is more robust, for example having matching random tokens on both the start and open tag:

<sandbox allow-same-origin token=F4C79A1094B3D34201E>
<p>javascript:x = 3; (x &gt; 5)? "x is less": "x is greater"<br>
should be:<br>
javascript:x = 3; (x &gt; 5)? "x is greater" : "x is less"<br>
</p>
</sandbox token=F4C79A1094B3D34201E>

But having attributes on a close tag is distasteful, and it makes the security depend on generating strong random tokens.

2) The feature depends on making a separate browsing context (i.e. the guts of a frame, a new Window object, a separate document, etc) for the sandboxed content. So it would be misleading to make it appear to be really truly inline. (The <sandbox> tag plus magic attribute idea above has this problem as well.)

Regards,
Maciej

Received on Tuesday, 26 January 2010 03:26:46 UTC