- From: Ian Hickson <ian@hixie.ch>
- Date: Sun, 18 Oct 2009 21:48:51 +0000 (UTC)
On Sun, 18 Oct 2009, Ben Laurie wrote: > > > but if you want a very specific type used for a plugin, you can use > > <embed>. > > So what's the difference between <embed> and <object>? <embed> only allows plugins; <object> also allows other things, like HTML and images. > > If you just want to allow the untrusted site to do anything, but in > > their own security context so it can't harm your site, use <iframe>. > > iframe is insufficient to prevent untrusted content from doing harm. It > also makes it painful to communicate with the untrusted content. Both of these issues are addressed in HTML5, with sandbox="" on <iframe>, and postMessage() on Window. Hopefully that will make things better on the long term. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Sunday, 18 October 2009 14:48:51 UTC