Re: CSP XML Data with tokens from gaz Heyes on 2011-01-28 (public-web-security@w3.org from January 2011)

From: gaz Heyes <gazheyes@gmail.com>
Date: Fri, 28 Jan 2011 09:52:46 +0000
To: "sird@rckc.at" <sird@rckc.at>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, Michal Zalewski <lcamtuf@coredump.cx>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
Message-ID: <AANLkTi=yos_ES5rWoK3xc7oo03-vstDFo28spz_fk0y-@mail.gmail.com>

On 28 January 2011 09:32, sird@rckc.at <sird@rckc.at> wrote:

> <iframe sandbox="allow-same-origin" seamless="seamless" srcdoc="your
> html content here"></iframe>
>

Ok but there are a few problems here, if you replace the target div with a
iframe what if a site contains a rule like div { position:absolute; } or any
other style, how could that work? How do you know which content to replace
with a sandboxed iframe? How would you apply more restrictions to the HTML?
More attributes?  Seems like a ugly hack to me using a iframe for this
purpose

Received on Friday, 28 January 2011 09:53:18 UTC