- From: Alexey Feldgendler <alexey@feldgendler.ru>
- Date: Tue, 15 May 2007 23:46:19 +0200
On Tue, 15 May 2007 23:37:37 +0200, Jon Barnett <jonbarnett at gmail.com> wrote: >> The OP probably meant that maintaining so many contexts would cause a >> comparable deterioration in performance. All user comments should be >> put in one security context. >> With all comments grouped together in such a manner, you could even use >> an inline frame. > I really think comments are a bad use case. Why would someone allow > scripts in comments in any context, much less a sandboxed one? Sure, comments are probably an unrealistic example. But embedding widget-like scripts in blog entries is, I think, realistic. > The best use case I have thought of so far is MySpace et. al., a site > where users have their own page with limited permission in the context > of the overall site. MySpace solves this by not allowing scripts at > all, as most such web sites do. If possible, such sites might allow a > user to insert widget scripts with limited permissions. For this use > case, iframe isn't ideal, either, but limited scripting and styling > are desired. There are contexts in which blog entries by multiple users are displayed in one page (aggregation contexts like LiveJournal friends pages). Technically this is equivalent to the example with comments: units of content authored by different users needs to be protected from each other. -- Alexey Feldgendler <alexey at feldgendler.ru> [ICQ: 115226275] http://feldgendler.livejournal.com
Received on Tuesday, 15 May 2007 14:46:19 UTC