W3C home > Mailing lists > Public > whatwg@whatwg.org > May 2010

[whatwg] Should scripts and plugins in contenteditable content be enabled or disabled?

From: Robert O'Callahan <robert@ocallahan.org>
Date: Thu, 20 May 2010 11:32:05 +1200
Message-ID: <AANLkTimy1Fb-OaywZqNYAt4zvR3-yDyrQnkHVMkSGFCM@mail.gmail.com>
On Wed, May 19, 2010 at 5:35 AM, Ojan Vafai <ojan at chromium.org> wrote:

> The webkit behavior of allowing all scripts makes the most sense to me. It
> should be possible to disable scripts, but that capability shouldn't be tied
> to editability. The clean solution for the CKEditor developer is to use a
> sandboxed iframe.
>

Discussion led to the point that there's a fundamental conflict between
sandboxed iframes and JS-based framebusting techniques. The point of
https://bugzilla.mozilla.org/show_bug.cgi?id=519928 is that Web sites using
JS-based techniques to prevent clickjacking can be thwarted if the
containing page has a way to disable JS in the child document. Currently
'designmode' is usable that way in Gecko, but 'sandbox' would work even
better.

Maybe sites should all move to declarative techniques such as CSP or
X-Frame-Options (although there are suggestions that maybe they don't want
to for some reason --- see
https://bugzilla.mozilla.org/show_bug.cgi?id=519928#c5 ). But there are
still issues with existing sites. Should we care?

Rob
-- 
"He was pierced for our transgressions, he was crushed for our iniquities;
the punishment that brought us peace was upon him, and by his wounds we are
healed. We all, like sheep, have gone astray, each of us has turned to his
own way; and the LORD has laid on him the iniquity of us all." [Isaiah
53:5-6]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20100520/7560765a/attachment.htm>
Received on Wednesday, 19 May 2010 16:32:05 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:23 UTC