Re: text/html-sandboxed should just be a sandboxed MIME type attribute from Michal Zalewski on 2011-03-29 (public-web-security@w3.org from March 2011)

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Tue, 29 Mar 2011 04:56:45 -0700
To: gaz Heyes <gazheyes@gmail.com>
Cc: Jacob Rossi <jrossi@microsoft.com>, "public-web-security@w3.org" <public-web-security@w3.org>, "public-html@w3.org" <public-html@w3.org>, Adrian Bateman <adrianba@microsoft.com>
Message-ID: <AANLkTim3tokwLACv4HhgH+E5rA+3sp2U9io9dTtfQptD@mail.gmail.com>

> 2) The mime type ensures that the content itself was intended to be
> sandboxed.

Not really; still-popular browsers such as MSIE6 and MSIE7 will still
tend to detect HTML on such a document in certain circumstances. If
the goal of text/html-sandboxed is backward safety, then ignoring this
is probably problematic (but I do think this was discussed before).

/mz

Received on Tuesday, 29 March 2011 11:57:40 UTC