- From: Tab Atkins Jr. <jackalmage@gmail.com>
- Date: Mon, 6 Sep 2010 10:25:20 -0700
- To: Kornel Lesiński <kornel@geekhood.net>
- Cc: public-html@w3.org
2010/9/6 Kornel Lesiński <kornel@geekhood.net>: > > I agree that srcdoc without default sandbox might give false sense of security[1]. There were also suggestions that data: URIs already do what @srcdoc does, with the exception of fail-safety for sandboxed content in HTML4 UAs. > > > My suggestion is to replace @srcdoc with @sandboxsrc. > > @sandboxsrc takes URI. Use of this attribute implies sandbox. When @sandboxsrc is used @src is ignored. This removes the entire reason for @srcdoc, which is that you can use the sandbox security model without a network request. ~TJ
Received on Monday, 6 September 2010 17:26:12 UTC