<div class="gmail_quote">On Fri, Apr 23, 2010 at 2:34 AM, Robert O'Callahan <span dir="ltr"><<a href="mailto:robert@ocallahan.org" target="_blank">robert@ocallahan.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>On Fri, Apr 23, 2010 at 6:52 PM, Simon Pieters <span dir="ltr"><<a href="mailto:simonp@opera.com" target="_blank">simonp@opera.com</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">
It seems Hixie has decided to go back to the WebKit behavior in the spec for designMode.<br>
<br>
<a href="http://html5.org/tools/web-apps-tracker?from=2817&to=2818" target="_blank">http://html5.org/tools/web-apps-tracker?from=2817&to=2818</a><font color="#888888"></font><br></blockquote></div><br clear="all">
</div>
It's certainly the easiest to implement, but you can see feedback in <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=519928" target="_blank">https://bugzilla.mozilla.org/show_bug.cgi?id=519928</a> that this makes life difficult for people writing editors.<br>
<br>Thanks for the links.<div><div></div><div></div></div></blockquote></div><div><br></div><div>The webkit behavior of allowing all scripts makes the most sense to me. It should be possible to disable scripts, but that capability shouldn't be tied to editability. The clean solution for the CKEditor developer is to use a sandboxed iframe.</div>
<div><br></div><div>I don't see a security benefit for disabling script as you'd have all the same issues with loading any user-content in a non-editable area. The only catch is that you *do* need to disable script from pasted and drag-dropped content (see <a href="http://trac.webkit.org/changeset/53442" target="_blank">http://trac.webkit.org/changeset/53442</a>). Basically, any site serving user-content will already need to mitigate XSS some other way, so disabling script in editable areas is not necessary, but paste/drag-drop can't reasonably rely on server-side solutions, so must be done by the UA.</div>
<div><br></div><div>Putting my developer hat on, trying to make Google Gadgets work in Google's rich text editor inside Firefox designMode was awful due to <span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; "><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=519928" target="_blank" style="color: rgb(7, 77, 143); ">https://bugzilla.mozilla.org/show_bug.cgi?id=519928</a></span>. A large percentage of Google Gadgets load as iframes and require javascript onload. We had to play tricks with turning off designMode, appending the iframe and turning designMode back on. It was an awful solution that never worked very well.</div>
<div><br></div><div>Ojan</div>