W3C home > Mailing lists > Public > whatwg@whatwg.org > February 2009

[whatwg] The <iframe> element and sandboxing ideas

From: Adam Barth <whatwg@adambarth.com>
Date: Fri, 13 Feb 2009 15:50:42 -0800
Message-ID: <7789133a0902131550l33a5d69cgaaf456cf1c92f097@mail.gmail.com>
On Fri, Feb 13, 2009 at 3:06 PM, Ian Hickson <ian at hixie.ch> wrote:
> Indeed. If someone can come up with a way of making this work in legacy
> UAs, I'd certainly be happy to change the spec to do that.

Here's a suggestion.  When requesting the contents of a sandboxed
iframe, send an HTTP header that contains the sandbox policy:

X-HTML-Sandbox-Policy: allow-forms, allow-scripts

Servers can decide not to serve untrusted content if they don't see a
sandbox policy they like.

Received on Friday, 13 February 2009 15:50:42 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:09 UTC