W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2008

[whatwg] The <iframe> element and sandboxing ideas

From: Frode Børli <frode@seria.no>
Date: Thu, 24 Jul 2008 01:07:07 +0200
Message-ID: <31fb000f0807231607r55de0fc6qe98f0a44de219813@mail.gmail.com>
I am not sure - the sandbox should not allow any scripts at all, that is my
only requirement. More advanced requirements can be taken care of server
side.

The issue I want sandbox for is that it allows us to introduce other ways to
embed scripts in tags in the future. Imagine this becoming legal in HTML 6
for some reason:

<td colspan='javascript(a + 5)'></td>

Where a javascript returns the value in the colspan attribute. Many server
side HTML sanitizers would have to be updated - unless we introduce a proper
sandbox.

Of course a white list could be nice - but sending a list of 50+ tags for
each item in a guestbook is a bit much. CSS syntax could be used for such a
whitelist; a[href],span[style],area[alt|href] etc. With no whitelist -
everything should be allowed, except scripts.

Frode

2008/7/23 James Ide <ide at berkeley.edu>:

>  On Tue, Jul 22, 2008 at 3:22 PM, Frode B?rli <frode at seria.no> wrote:
>
>> The server must escape all user generated content by replacing < with
>> &lt; etc. This is perfectly secure for all existing browsers. The
>> sandbox instructs the browser to unescape. Completely fail safe for
>> all.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080724/d8fb6267/attachment.htm>
Received on Wednesday, 23 July 2008 16:07:07 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:03 UTC