- From: Michal Zalewski <lcamtuf@dione.cc>
- Date: Sat, 27 Sep 2008 00:34:45 +0200 (CEST)
On Fri, 26 Sep 2008, Elliotte Rusty Harold wrote: > It's tongue-in-cheek that I don't expect it to be adopted or seriously > considered (this year). It's not tongue-in-cheek in that I very much > wish it were adopted. That is, I think it's in the realm of the > desirable, not the possible. Oh yup, agreed there; with current DOM manipulation capabilities, and with the hopefully upcoming flexible, site-controlled security policies, IFRAMEs could probably safely go away in a decade or so for most intents and purposes. > I am curious what issues you see with same origin content. They > certainly exist, but I tend to feel those are orthogonal to the issues > at hand, and subject for a separate discussion. Yup, these are best addressed by introducing better security controls wrt content sniffing, sandboxing, etc, rather than keeping IFRAMEs around. It's just that killing IFRAMEs before these improvements are introduced would probably do some harm. The general problem is, let's assume my application wants to show you a third-party gadget, a document of an unknown format sent to you in an e-mail, or a raw HTML page that cannot be scrubbed down, or that we do not believe we can scrub well enough (this is a very difficult task by itself, given browser-specific HTML parsing quirks). Further assume that I want to do it within some other, trusted UI, to offer a more intuitive and streamlined user experience, instead of creating new minimal, non-interactive tabs. The only way to do it right now without risking the content gaining control of the UI is to keep it in a separate, untrusted "sandbox" domain, and use IFRAMEs to embed the data within the UI. Quite a few web apps adopted this approach for better or worse to implement useful functionality. Cheers, /mz
Received on Friday, 26 September 2008 15:34:45 UTC