- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Tue, 12 Jan 2010 21:45:21 -0500
- To: Maciej Stachowiak <mjs@apple.com>
- CC: Ian Hickson <ian@hixie.ch>, public-html@w3.org, public-web-security@w3.org
On 1/12/10 9:41 PM, Maciej Stachowiak wrote: > I don't think it is a problem. My understanding is that a major goal for > text/html-sandboxed is to protect against an attacker loading a resource > that is only meant to be served sandboxed in a non-sandboxed context. Ah, I see. OK, that makes sense. My concern was whether sites would choose to use this if it meant that <iframe sandbox> in a browser with no sandbox support would do weird stuff with the content. I guess doing weird stuff is certainly preferable to it being treated as HTML by said browser. ;) -Boris
Received on Wednesday, 13 January 2010 02:45:55 UTC