Re: The <iframe> element and sandboxing ideas

Ian Hickson wrote:
> Summary:
> 
>  * I've added a sandbox="" attribute to <iframe>, which by default
>    disables a number of features and takes a space-separated list of
>    features to re-enable:
> 
[snip list]

Unless I'm missing something, this attribute is useless in practice 
because legacy browsers will not impose the restrictions. This means 
that as long as legacy browsers exist (i.e. forever) server-side 
filtering must still be employed to duplicate the effects of the sandbox.

One alternative would be to use a different element name so that 
fallback content can be provided for legacy browsers. In the short term, 
this is likely to be something like this:

<sandbox src="/comments/blah">
<iframe src="/comments/blah?do-security-filtering=1"></iframe>
</sandbox>

Once a large percentage of browsers support <sandbox> authors can start 
to be less accommodating with their fallback content, either by 
filtering out HTML tags entirely (which I'd assume is easier than just 
filtering out script) or at the extreme just setting the fallback 
content to be "Your browser is not supported".

This comment does not address "seamless", which seems to be orthogonal 
and can thus be equally applied to both sandbox and iframe as currently 
specified.

Received on Thursday, 22 May 2008 12:21:37 UTC