- From: gaz Heyes <gazheyes@gmail.com>
- Date: Thu, 10 Dec 2009 08:04:01 +0000
- To: Mary Ellen Zurko <mzurko@us.ibm.com>
- Cc: "Adam Barth <w3c" <w3c@adambarth.com>, public-web-security@w3.org
Received on Thursday, 10 December 2009 08:04:41 UTC
2009/12/9 Mary Ellen Zurko <mzurko@us.ibm.com>
> In theory I've got no problem with that. In practice, I'm darned if I can
> figure out how to ensure that a gazillion web app developers "only" develop
> using features that are "adequately safe". And I can't tell in this
> discussion how I'll do that. But I realize that's a tangent. Just throwing
> it out in case there's an easy answer that someone will toss me, and I will
> catch in my mouth, and trot off happily with...
>
I think the best solution would be a sandbox feature of CSS. Something
like:-
<style type="text/css" sandbox="element">
@policy {
selectors:= $ ^;
url:same-origin;
visited:same-origin;
}
body { /* this fails because the element reference becomes #element body */
}
img { /* reference automatically becomes #element img*/
position:absolute;
left:-100px;
top:-100px;
/* These coordinates are only relevant to the "element" you cannot move
outside of the element boundaries */
}
</style>
<div id="element"
style="position:absolute;left:100px;top:100px;width:100px;height:100px;">
<img>
</div>
Received on Thursday, 10 December 2009 08:04:41 UTC