- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 13 Jan 2010 01:51:49 +0000 (UTC)
- To: public-html@w3.org
- Cc: public-web-security@w3.org
In response to implementor feedback regarding the sandbox="" feature of <iframe> in the WHATWG list [1], and based in part on a 2007 research paper from Microsoft [2], I have introduced a new MIME type for HTML (text/sandboxed-html) that is identical to text/html in every way except one critical aspect: resources served with this MIME type are forced into a unique security origin context. This feature can also be used with <iframe sandbox=""> to force the desired behaviour in legacy UAs -- fallback to either no sandbox is possible as before (for the case where sandbox="" is being used for defence-in-depth), and fallback to load failure is now possible by serving the content with this type (for the case where legacy UAs are not intended to be supported and sandbox="" is being used for first-line security). This is somewhat experimental, and so feedback (especially implementor feedback) regarding this proposal is encouraged. [1] http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2010-January/024732.html [2] http://research.microsoft.com/en-us/um/people/helenw/papers/sosp07MashupOS.pdf -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 13 January 2010 01:52:18 UTC