@sandboxsrc proposal

I agree that srcdoc without default sandbox might give false sense of security[1]. There were also suggestions that data: URIs already do what @srcdoc does, with the exception of fail-safety for sandboxed content in HTML4 UAs.


My suggestion is to replace @srcdoc with @sandboxsrc.

@sandboxsrc takes URI. Use of this attribute implies sandbox. When @sandboxsrc is used @src is ignored.


It allows use of sandboxed data: URIs new UAs without leaving old UAs insecure, and leaves @src for fallback for HTML4 UAs.



Because of need to percent-escape or base64-encode data: URI are less efficient than @srcdoc is. This could be remedied by defining preprocessing step on @sandboxsrc (and @src?) that adds necessary percent-escaping to the value when value starts with data:.

<iframe sandbox srcdoc="<h1>Hello</h1>">

would be changed to:

<iframe sandboxsrc="data:text/html,<h1>Hello</h1>">


<iframe sandbox src="hello.html-sandboxed">

would be equivalent to:

<iframe sandboxsrc="hello.html-sandboxed">

and allow:

<iframe sandboxsrc="hello.html-sandboxed" src="hello.txt">


-- 
regards, Kornel Lesiński

[1] http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2010-August/028274.html

Received on Monday, 6 September 2010 09:36:11 UTC