On Wed, May 19, 2010 at 5:35 AM, Ojan Vafai <span dir="ltr"><<a href="mailto:ojan@chromium.org">ojan@chromium.org</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div>The webkit behavior of allowing all scripts makes the most sense to me. It should be possible to disable scripts, but that capability shouldn't be tied to editability. The clean solution for the CKEditor developer is to use a sandboxed iframe.</div>
</blockquote><br clear="all"></div>Discussion led to the point that there's a fundamental conflict between sandboxed iframes and JS-based framebusting techniques. The point of <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=519928">https://bugzilla.mozilla.org/show_bug.cgi?id=519928</a> is that Web sites using JS-based techniques to prevent clickjacking can be thwarted if the containing page has a way to disable JS in the child document. Currently 'designmode' is usable that way in Gecko, but 'sandbox' would work even better.<br>
<br>Maybe sites should all move to declarative techniques such as CSP or X-Frame-Options (although there are suggestions that maybe they don't want to for some reason --- see <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=519928#c5">https://bugzilla.mozilla.org/show_bug.cgi?id=519928#c5</a> ). But there are still issues with existing sites. Should we care?<br>
<br>Rob<br>-- <br>"He was pierced for our transgressions, he was crushed for our iniquities; the punishment that brought us peace was upon him, and by his wounds we are healed. We all, like sheep, have gone astray, each of us has turned to his own way; and the LORD has laid on him the iniquity of us all." [Isaiah 53:5-6]<br>