Re: @sandboxsrc proposal

2010/9/6 Kornel Lesiński <kornel@geekhood.net>:
>
> I agree that srcdoc without default sandbox might give false sense of security[1]. There were also suggestions that data: URIs already do what @srcdoc does, with the exception of fail-safety for sandboxed content in HTML4 UAs.
>
>
> My suggestion is to replace @srcdoc with @sandboxsrc.
>
> @sandboxsrc takes URI. Use of this attribute implies sandbox. When @sandboxsrc is used @src is ignored.

This removes the entire reason for @srcdoc, which is that you can use
the sandbox security model without a network request.

~TJ

Received on Monday, 6 September 2010 17:26:12 UTC