Re: Tag to disable unwanted features? from Lincoln Yeoh on 2007-09-25 (www-html@w3.org from September 2007)

From: Lincoln Yeoh <lyeoh@pop.jaring.my>
Date: Tue, 25 Sep 2007 23:27:17 +0800
To: Ian Hickson <ian@hixie.ch>
Cc: www-html@w3.org, gerv@mozilla.org
Message-Id: <200709251530.l8PFUuKZ082736@smtp1.jaring.my>

At 06:19 AM 9/25/2007, Ian Hickson wrote:

>On Tue, 25 Sep 2007, Lincoln Yeoh wrote:
> >
> > We've got stuff like "ping", "time" attributes in HTML5.
> >
> > So what does it take to get a "tag/element to disable unwanted
> > features"?
>
>It's on the (long) list of things being looked at. See the "sandboxing"
>e-mails here:
>
>    http://www.whatwg.org/issues/#graphics-iframe

OK,

Sorry for my impatience but it's already been 5 years since I first 
bugged various people about it[1] :).

Anyway, my take on it is we'd need a closing tag or another tag with 
a random secret that must match the one used in the opening/starting 
tag. It'll be more certain than trying to filter out all the possible 
variations of <sandbox> or </sandbox> an unknown/buggy browser could 
recognize. It is also less expensive and less difficult than 
calculating md5/sha1 hashes for dynamically generated stuff.

As for what stuff to allow/disable, my suggestions are:
at least one mode to disable "client side active stuff" like 
javascript, activex, flash etc within the tags (aka what the browser 
people have had difficulty with over the years).
and another one or two more paranoid modes: "text only" or "safe 
subset of html only" (aka what the browser people have managed to NOT 
get badly wrong over the years).

Regards,
Link.

[1] http://archives.neohapsis.com/archives/sf/www-mobile/2002-q2/0147.html

Offtopic rant (but maybe relevant for the browser people):
I'm also waiting for sandbox security templates for applications. 
e.g. "Britney Screensaver" requests "Full System Install Privileges" 
to run, Allow? Yes/No (with red scary warnings etc etc). Correct and 
safe answer of course is No. Whereas "Britney Screensaver" requests 
"Screensaver install privileges". Correct and safe answer is Yes - 
and the O/S will not allow the screensaver to do "non-screensaver 
stuff". Similarly browsers should run using the "Default Browser" 
security template.

Too bad after billions of dollars and many years, we either get 
unhelpful stuff like UAC, or require "Joe Sixpack"s to solve a 
variation of the halting problem without them even being able to read 
the source code aka "Is this program/link safe to run/click on?".

Received on Tuesday, 25 September 2007 15:31:33 UTC