- From: Mike Schinkel <mikeschinkel@gmail.com>
- Date: Sat, 13 Jan 2007 09:37:23 -0500
James M Snell wrote: > I've recently been musing over some ideas around sandboxing > scripts and styles within a document [1]. > > Thoughts? > > - James > > [1] http://www.snellspace.com/wp/?p=582 Excellent idea! Bjoern Hoehrmann wrote: > It would be helpful if you could first explain what pain you > are trying to solve and how your solution would solve it. A community site could allow user-contributed script to add functionality to the community on sites such as free-form as a wiki, and hence with open-ended use cases. But that's not really possible today because the almost certainty of maliciousness. Jorgen Horstink wrote: > Please provide a real use case. I second Anne's point of > comment sanitation. Can you give me one single use case when > it is useful to use ECMAScript in a comment on a blog? I'm working on such a real world use case and would like to solve the pain. I'd rather not describe it explicitly yet, but consider a situation where I have a script that operates on a section of HTML that allows plugs-in from arbitrary URLs. A webmaster could use this but would have to trust that the webmaster of the plugins would not change their script after he used them and thus would be much less likely to use this functionality. If he could sandbox it, that requirement for trust would be diminished and it would increase the likelihood the use of the functionality would spread. FYI, an IFRAME would NOT work for this use-case as it is about linking script files ot the main document, not about visual widgets. BTW, I'd ALSO like a sandbox capability that completely disables script for use within blog comment sections and forum posts etc. -- -Mike Schinkel http://www.mikeschinkel.com/blogs/ http://www.welldesignedurls.org/ "It never ceases to amaze how many people will proactively debate away attempts to improve the web..."
Received on Saturday, 13 January 2007 06:37:23 UTC