[whatwg] <banner> as a dedicated tag

On Wed, 23 Feb 2011, Martin Stender wrote:
> 
> I've been searching the archives for some discussions about the need for 
> a dedicated banner-tag [...]. Several places on our site, we have markup 
> like this:
> 
> <snip>
> <div class="banner_300">
> <script language="javascript" type="text/javascript"><!--
> document.write('<scr'+'ipt language="javascript1.1" src="http://adserver.adtech.de/addyn/3.0/123/123456/1/123/ad;loc=100;target=_blank;key=some+key+words;grp=12345;misc='+new Date().getTime()+'"></scri'+'pt>');
> //-->
> </script>
> </div>
> </snip>
> 
> So the ad-managing system injects whatever is supposed to sit inside 
> that div-tag, into our dom. I believe that is the way most commercial 
> sites handles this task.
> 
> While we trust both our ad-team, our ad-management system, our customers 
> and their ad-agencies - *nothing* really prevents either a human error 
> or some 'evil-doers' (tm) from taking over the entire page this way. In 
> reality, of course, human error would be the case in almost all cases of 
> mishap, but everything is possible.
> 
> So it would be great to have the ability to just insert a <banner>-tag, 
> knowing that whatever goes on in side that tag, cannot alter the page 
> itself. You should be able to grant the tag access to read various 
> values of the surrounding page, though.

On Wed, 23 Feb 2011, Tab Atkins Jr. wrote:
> 
> Let me attempt to summarize your use-case:
> 
> """
> I have untrusted markup from a third party which I would like to
> safely insert into my page, knowing that the rest of my page is safe
> from whatever the untrusted markup is doing.  Also, the untrusted
> markup may be doing expensive things, particularly on load, so I'd
> like to wait until after the rest of the page is loaded before loading
> the markup.
> """
> 
> Is this accurate?  Correct me if not, but I'll assume it is for now.
> 
> This is precisely what <iframe sandbox> is designed for.  You can use a 
> sandboxed iframe to isolate things from the rest of your page while 
> still allowing them to run script and generally do arbitrary unknown 
> things.
> 
> If the network request that <iframe>s normally kick off is undesirable, 
> you can use the @srcdoc attribute to get around this. Using @srcdoc, you 
> can either safely embed the untrusted markup directly in your page 
> (it'll still only run in the sandbox), or easily set it from script. ( 
> var bannermarkup = "<p>some markup here</p>"; banneriframe.srcdoc = 
> bannermarkup; )
> 
> I know that iframes don't stop the rest of the page from rendering while 
> they load.  I can't recall off the top of my head whether they delay the 
> load event or not.  If they do, and this is a problem, you can easily 
> just set up a script which listens for the load event and then sets the 
> @src or @srcdoc of the iframe.

Indeed.


I haven't added a <banner> element, since it seems <iframe> already 
handles this. Is that sufficient?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Friday, 3 June 2011 16:11:05 UTC