W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2007

[whatwg] Sandboxing scripts in pages

From: Jorgen Horstink <mail@jorgenhorstink.nl>
Date: Sat, 13 Jan 2007 00:34:44 +0100
Message-ID: <F89C6B84-F6E0-4F47-9B0D-B6947407D7BC@jorgenhorstink.nl>

On Jan 12, 2007, at 10:30 PM, James M Snell wrote:

> Anne van Kesteren wrote:
>> [snip]
>>> Frames are a terrible solution. The content is after all a part  
>>> of the
>>> page it's hosted in, but we want to sandbox it to make sure it can't
>>> do any harm.
>> The proposed alternative is severely underdefined and won't work  
>> for the
>> foreseeable future anyway.
>> [snip]
> Minor nit:
>   s/proposed alternative/simple strawman to illustrate the point/
> I just want the behavior or something that comes close without
> necessarily having to resort to aggressive filtering.  That is, I  
> don't
> necessarily want to eliminate scripts from the comments, I just  
> want to
> be able to limit their impact.
> Either way, I'm fully aware that any new invention here would take a
> while to actually work.
> - James
Please provide a real use case. I second Anne's point of comment  
sanitation. Can you give me one single use case when it is useful to  
use ECMAScript in a comment on a blog? Secondly, just as Bjoern  
states; a malicious script could easily position new element on top  
of other elements. Or do you want to restrict that too? I cannot see  
what CSS has to do with it, since it is not a style issue, but a DOM  
access behavior issue.

-- Jorgen
Received on Friday, 12 January 2007 15:34:44 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:51 UTC