W3C home > Mailing lists > Public > whatwg@whatwg.org > April 2009

[whatwg] The <iframe> element and sandboxing ideas

From: Ian Hickson <ian@hixie.ch>
Date: Mon, 27 Apr 2009 06:10:27 +0000 (UTC)
Message-ID: <Pine.LNX.4.62.0904270609520.10370@hixie.dreamhostps.com>
On Fri, 13 Feb 2009, Adam Barth wrote:
> On Fri, Feb 13, 2009 at 3:06 PM, Ian Hickson <ian at hixie.ch> wrote:
> > Indeed. If someone can come up with a way of making this work in legacy
> > UAs, I'd certainly be happy to change the spec to do that.
> 
> Here's a suggestion.  When requesting the contents of a sandboxed
> iframe, send an HTTP header that contains the sandbox policy:
> 
> X-HTML-Sandbox-Policy: allow-forms, allow-scripts
> 
> Servers can decide not to serve untrusted content if they don't see a
> sandbox policy they like.

Some of the flags can be changed dynamically, so that the server can be 
given one set of flags but other flags actually apply. Does that matter?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Sunday, 26 April 2009 23:10:27 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:11 UTC