Re: text/sandboxed-html from sird@rckc.at on 2010-01-27 (public-web-security@w3.org from January 2010)

From: <sird@rckc.at>
Date: Wed, 27 Jan 2010 21:17:27 +0800
To: gaz Heyes <gazheyes@gmail.com>
Cc: Devdatta <dev.akhawe@gmail.com>, Maciej Stachowiak <mjs@apple.com>, Collin Jackson <collin@collinjackson.com>, "Helen Wang (MSR)" <helenw@microsoft.com>, "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <8ba534861001270517g7d80dd4fpc5f7d0d9d9efbd30@mail.gmail.com>

Yeah, agreed Gareth.

Unless people start putting private information inside sandboxed scripts (I
dont think so but.. could happen) this is the safest approach.. At least
safer than HTML.

Greetings!!
-- Eduardo
http://www.sirdarckcat.net/

Sent from Hangzhou, Zhejiang, China

On Wed, Jan 27, 2010 at 9:08 PM, gaz Heyes <gazheyes@gmail.com> wrote:

> 2010/1/27 sird@rckc.at <sird@rckc.at>
>
>> a <script src=> inside an <iframe sandbox=> is the same as a <sandbox
>> src=>, the difference is that the later is only javascript, and the former
>> is JS and HTML (and css maybe).
>>
>> If I understood correctly, Helen things that HTML is dangerous, since it
>> executes in the context of the page serving it, while JS by itself is not..
>>
>
> Actually it's a better solution:-
> <sandbox src=x>Not supported</sandbox>
>
> The iframe content will not be displayed to the user. It makes more sense
> to use a new element IMO as you can use alternative HTML within the element
> boundaries
>

Received on Wednesday, 27 January 2010 13:18:20 UTC