- From: Ian Hickson <ian@hixie.ch>
- Date: Fri, 3 Jun 2011 23:11:05 +0000 (UTC)
On Wed, 23 Feb 2011, Martin Stender wrote:
>
> I've been searching the archives for some discussions about the need for
> a dedicated banner-tag [...]. Several places on our site, we have markup
> like this:
>
> <snip>
> <div class="banner_300">
> <script language="javascript" type="text/javascript"><!--
> document.write('<scr'+'ipt language="javascript1.1" src="http://adserver.adtech.de/addyn/3.0/123/123456/1/123/ad;loc=100;target=_blank;key=some+key+words;grp=12345;misc='+new Date().getTime()+'"></scri'+'pt>');
> //-->
> </script>
> </div>
> </snip>
>
> So the ad-managing system injects whatever is supposed to sit inside
> that div-tag, into our dom. I believe that is the way most commercial
> sites handles this task.
>
> While we trust both our ad-team, our ad-management system, our customers
> and their ad-agencies - *nothing* really prevents either a human error
> or some 'evil-doers' (tm) from taking over the entire page this way. In
> reality, of course, human error would be the case in almost all cases of
> mishap, but everything is possible.
>
> So it would be great to have the ability to just insert a <banner>-tag,
> knowing that whatever goes on in side that tag, cannot alter the page
> itself. You should be able to grant the tag access to read various
> values of the surrounding page, though.
On Wed, 23 Feb 2011, Tab Atkins Jr. wrote:
>
> Let me attempt to summarize your use-case:
>
> """
> I have untrusted markup from a third party which I would like to
> safely insert into my page, knowing that the rest of my page is safe
> from whatever the untrusted markup is doing. Also, the untrusted
> markup may be doing expensive things, particularly on load, so I'd
> like to wait until after the rest of the page is loaded before loading
> the markup.
> """
>
> Is this accurate? Correct me if not, but I'll assume it is for now.
>
> This is precisely what <iframe sandbox> is designed for. You can use a
> sandboxed iframe to isolate things from the rest of your page while
> still allowing them to run script and generally do arbitrary unknown
> things.
>
> If the network request that <iframe>s normally kick off is undesirable,
> you can use the @srcdoc attribute to get around this. Using @srcdoc, you
> can either safely embed the untrusted markup directly in your page
> (it'll still only run in the sandbox), or easily set it from script. (
> var bannermarkup = "<p>some markup here</p>"; banneriframe.srcdoc =
> bannermarkup; )
>
> I know that iframes don't stop the rest of the page from rendering while
> they load. I can't recall off the top of my head whether they delay the
> load event or not. If they do, and this is a problem, you can easily
> just set up a script which listens for the load event and then sets the
> @src or @srcdoc of the iframe.
Indeed.
I haven't added a <banner> element, since it seems <iframe> already
handles this. Is that sufficient?
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 3 June 2011 16:11:05 UTC