- From: Jacob Rossi <jrossi@microsoft.com>
- Date: Tue, 29 Mar 2011 15:54:58 +0000
- To: Michal Zalewski <lcamtuf@coredump.cx>, gaz Heyes <gazheyes@gmail.com>
- CC: "public-web-security@w3.org" <public-web-security@w3.org>, "public-html@w3.org" <public-html@w3.org>, Adrian Bateman <adrianba@microsoft.com>
I agree. The fact that my proposal would allow the content to be rendered in legacy browsers is no different than the sandbox iframe attribute itself; and that's the way it should be lest we give the false impression that text/html-sandboxed is more than defense in-depth. > -----Original Message----- > From: Michal Zalewski [mailto:lcamtuf@coredump.cx] > Sent: Tuesday, March 29, 2011 4:57 AM > To: gaz Heyes > Cc: Jacob Rossi; public-web-security@w3.org; public-html@w3.org; Adrian > Bateman > Subject: Re: text/html-sandboxed should just be a sandboxed MIME type > attribute > > > 2) The mime type ensures that the content itself was intended to be > > sandboxed. > > Not really; still-popular browsers such as MSIE6 and MSIE7 will still > tend to detect HTML on such a document in certain circumstances. If the > goal of text/html-sandboxed is backward safety, then ignoring this is > probably problematic (but I do think this was discussed before). > > /mz
Received on Tuesday, 29 March 2011 15:55:34 UTC