[whatwg] Content Restrictions
alexey at feldgendler.ru
Mon Jan 30 08:13:56 PST 2006
On Mon, 30 Jan 2006 21:21:13 +0600, Gervase Markham <gerv at mozilla.org>
>> It's specifically targeted at keeping decent security in older browsers.
>> User agents that don't support sandboxing won't execute the scripts at
> What problem are you trying to solve with this proposal? I'm not sure
> it's the same one that I am. You are trying to solve the problem of
> letting LiveJournal authors include certain types of "safe" script on
> their page, when currently they aren't allowed to include any.
> I'm trying to solve the problem of protecting users from XSS attacks
> when there are unexpected bugs in an author's web application.
Well, now I see. Really, for this use case your proposal seems reasonable,
but because my proposed <sandbox> element covers both use cases (allowing
limited scripting in user-supplied content, and protection against XSS
bugs as a second line of defense), the content restrictions specified by a
HTTP header may be a duplication. If <sandbox> ends up in the spec, then
the header needs not.
> And anyway, I don't think it's a serious security problem, because it
> already has a solution - filter out <script> altogether. I've not come
> across a compelling use case which says that blogs and wikis need to
> allow people to insert certain sorts of script into the blogpost or wiki
They clearly state that they would like to allow scripts, but they don't
know how to do it safely.
I think it's not just a problem of this particular site.
Opera M2 8.5 on Debian Linux 2.6.12-1-k7
* Origin: X-Man's Station [ICQ: 115226275] <alexey at feldgendler.ru>
More information about the whatwg