- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Thu, 22 May 2008 22:19:12 -0500
Kristof Zelechovski wrote: > 1. Nested browsing contexts in a sandboxed frame cannot be created > dynamically but they can be defined by the inner markup. There was no mention of "dynamically" in Ian's proposal. My assumption was that "cannot create browsing contexts" meant just that. If it doesn't, the wording needs some changes. > 2. If the frame is not allowed to execute scripts, setting location to > script should have no effect. OK. Again, that was not clear in the original proposal. > 4. Percentage in height scales to the container's height, not to the initial > dimensions of the current element. It is an error if the container's height > is left implicit It's not an error in CSS. Or are you suggesting a different algorithm? > or if the sum of percentages exceeds 100%. Again, not a problem in CSS. Percentages of auto just get treated as auto. If you're suggesting a totally different algorithm, it needs a lot of fleshing out. > 5. The argument against SANDBOX is that the user could inject /SANDBOX. The > argument against code attribute is that the user could inject a quote. > Aren't these similar enough to reconsider SANDBOX? SANDBOX and the non-base64 attribute thing seem pretty similar in a lot of ways to me, except that the iframe (having a separate Window and such) might be easier to secure in existing implementations. -Boris
Received on Thursday, 22 May 2008 20:19:12 UTC