W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2007

[whatwg] Sandboxing scripts in pages

From: Anne van Kesteren <annevk@opera.com>
Date: Fri, 12 Jan 2007 22:14:44 +0100
Message-ID: <op.tl17yuen64w2qv@id-c0020>
On Fri, 12 Jan 2007 22:09:40 +0100, Asbj?rn Ulsberg  
<asbjorn at tigerstaden.no> wrote:
>> Use an <iframe> and use cross-document messaging? This has been  
>> discussed a lot by the way.
> Frames are a terrible solution. The content is after all a part of the  
> page it's hosted in, but we want to sandbox it to make sure it can't do  
> any harm.

The proposed alternative is severely underdefined and won't work for the  
foreseeable future anyway.

> Let's say we'd like to sandbox anonymous user-contributed comments on a  
> blog, but not comments from logged in users. That would require all  
> anonymous comments to be placed within an iframe. For 100 anonymous  
> comments, that's 100 iframes on a single web page. Don't tell me that's  
> an elegant solution.

Why wouldn't have you have comment sanitization? Nope that you could use  
data: URIs on the <iframe>s.

Anne van Kesteren
Received on Friday, 12 January 2007 13:14:44 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:51 UTC