Re: text/sandboxed-html from Maciej Stachowiak on 2010-01-27 (public-web-security@w3.org from January 2010)

From: Maciej Stachowiak <mjs@apple.com>
Date: Tue, 26 Jan 2010 17:46:17 -0800
To: Collin Jackson <collin@collinjackson.com>
Cc: "Helen Wang (MSR)" <helenw@microsoft.com>, "public-web-security@w3.org" <public-web-security@w3.org>
Message-id: <315BF9B8-E9A9-4B59-B341-77A7ECC4A714@apple.com>

On Jan 26, 2010, at 2:44 PM, Collin Jackson wrote:

> 
> Since there is no mechanism preventing the attacker from making an
> iframe that points at the <sandbox>'s "src" attribute, the site needs
> some way of preventing the content from rendering as HTML, even though
> it will normally be script in non-attack scenarios. Serving up content
> with the mime type text/javascript (or application/x-javascript) works
> about as well as text/html-sandboxed (same IE6 and Flash caveats).

Using a JavaScript type is likely to make some or all of the content readable (and not just embeddable) cross-site. So even though it won't then be rendered as HTML, this choice of MIME type has risks.

Regards,
Maciej

Received on Wednesday, 27 January 2010 01:46:51 UTC