- From: Kristof Zelechovski <giecrilj@stegny.2a.pl>
- Date: Wed, 18 Jun 2008 09:59:25 +0200
Let?s sort things out, folks. There is nothing in the spec to prevent a browser vendor to format the user?s hard drive and to drain her bank account as a bonus when the page displayed contains the string "D357R0Y!N0\V!". The spec does not tell the vendors what not to do, therefore it cannot guarantee anything in this respect. The spec provides a reference implementation and it is our job not to let harmful extensions in here; what happens in the wild is beyond our control. IMHO, Chris -----Original Message----- From: whatwg-bounces@lists.whatwg.org [mailto:whatwg-bounces at lists.whatwg.org] On Behalf Of Mikko Rantalainen Sent: Wednesday, June 18, 2008 9:20 AM To: whatwg at lists.whatwg.org Subject: Re: [whatwg] Sandboxing to accommodate user generated content. Frode B?rli wrote: >>> I have been reading up on past discussions on sandboxing content, and >>> >>> My main arguments for having this feature (in one form or another) in >>> the browser is: >>> >>> - It is future proof. Changes to browsers (for example adding >>> expression support to css) will never again require old sanitizers to >>> be updated. Unless some braindead vendor is going to add scripting-in-sandboxing feature which would be equally braindead to unlimited expression support in css. You cannot be future proof unless you trust all the players including ALL possible browser vendors. [snip] > This method will be safe for all browsers that has ever existed and > that will ever exist in the future. If new features are introduced in > some future version of CSS or HTML - the sandbox is still there and > the applications created today does not need to have their sanitizers > updated, ever. That's a pretty bold claim! I guess that a similar claim could have been said about CSS support before Microsoft added the "expression()" value syntax. Can *you* guarantee that a random browser vendor does not implement anything stupid for the sandbox content in the future? -- Mikko
Received on Wednesday, 18 June 2008 00:59:25 UTC