- From: Adam Barth <whatwg@adambarth.com>
- Date: Fri, 13 Feb 2009 15:50:42 -0800
On Fri, Feb 13, 2009 at 3:06 PM, Ian Hickson <ian at hixie.ch> wrote: > Indeed. If someone can come up with a way of making this work in legacy > UAs, I'd certainly be happy to change the spec to do that. Here's a suggestion. When requesting the contents of a sandboxed iframe, send an HTTP header that contains the sandbox policy: X-HTML-Sandbox-Policy: allow-forms, allow-scripts Servers can decide not to serve untrusted content if they don't see a sandbox policy they like. Adam
Received on Friday, 13 February 2009 15:50:42 UTC