- From: Mike Ter Louw <mtl@uic.edu>
- Date: Wed, 02 Jul 2008 10:42:08 -0500
Ian Hickson wrote: > * I've added a seamless="" boolean attribute to <iframe>, which, if > the content's active document's URI has the same origin as the > container, causes the iframe to size vertically to the bounding box > of the contents, and horizontally to the width of the container, > and which causes the initial containing block of the contents to be > treated as zero height. In addition, styles on the root element of > the content must inherit from the <iframe> instead of being the > initial values, and the style sheets that apply to the <iframe> > must also apply to the contents. In addition, any time the browsing > context navigates itself, the parent browsing context gets > navigated instead. > > This is all HIGHLY EXPERIMENTAL. I am looking for feedback on the general > approaches taken. The approach is good in that it leverages the existing semantics of <iframe> as a document / browsing context boundary, and enables tweaking of content capabilities using a small number of options. The options are general enough that their effects should not be difficult for web authors to understand and put to use. In the spec, would an example of seamless embedding of untrusted content be useful? " In this example, the site www.example.com seamlessly embeds untrusted, user-generated content such that the untrusted content can not instantiate plugins, execute scripts, submit forms, etc.. Note for seamless attribute to be used in conjunction with sandbox attribute, allow-same-origin keyword must be set and browsing context's active document must have the same origin as the nested browsing context. <iframe src="www.example.com/getBlogComments.cgi?article=123" seamless sandbox="allow-same-origin"></iframe> " > There are various things that this doesn't address yet; e.g. there's no > way to force (or even allow) a non-seamless iframe to open links in the > parent window. There also does not seem to be a way for embedding untrusted content in a unique browsing context (i.e., different origin) that allows scripting and is seamless with the surrounding document. The is a constraint placed on use of the seamless attribute: its effects are not applied when the <iframe> is of a different origin. Is this to protect web authors from unintentional data leaks, or to prevent self-contradiction of the standard in some way? To me, the exciting thing about content restrictions is the ability for a web author, or automated security tools, to define a policy for the user agent to enforce. Toward this end the standards should allow great flexibility in how content restriction features can be used. Maybe we can allow the choice to trade "total security lock-down" for "very good security, some documented implicit data flows, but greater usability"? Here's another perspective: Is HTML 5 going to provide sufficient flexibility to enable web authors to safely embed untrusted content, or will future generations of web apps continue to rely on content filtering/sanitization techniques for restricting capabilities of untrusted content? Just to be clear, I think the current proposal is a great improvement over current browser support for content restrictions and will enable a wave of desperately needed security enhancements on the web. > This isn't very readable, I'll grant you. I'm thinking of introducing a > new attribute. I haven't worked out what to call it yet, but definitely > not "src", "source", "src2", "content", "value", or "data" -- maybe > "html" or "doc", though neither of those are great. This attribute would > take a string which would then be interpreted as the source document > markup of an HTML document, much like the above; it would override src="" > if it was present, allowing src="" to be used for legacy UAs: This new attribute, along with some form of content encoding (e.g., data URI scheme), could be very important to the usefulness of the seamless and sandbox attributes in some applications. Is the hold up just indecision about naming? How about "text" or "document"? Mike
Received on Wednesday, 2 July 2008 08:42:08 UTC