[whatwg] Sandboxing scripts in pages
Anne van Kesteren
annevk at opera.com
Fri Jan 12 13:14:44 PST 2007
On Fri, 12 Jan 2007 22:09:40 +0100, Asbjørn Ulsberg
<asbjorn at tigerstaden.no> wrote:
>> Use an <iframe> and use cross-document messaging? This has been
>> discussed a lot by the way.
>
> Frames are a terrible solution. The content is after all a part of the
> page it's hosted in, but we want to sandbox it to make sure it can't do
> any harm.
The proposed alternative is severely underdefined and won't work for the
foreseeable future anyway.
> Let's say we'd like to sandbox anonymous user-contributed comments on a
> blog, but not comments from logged in users. That would require all
> anonymous comments to be placed within an iframe. For 100 anonymous
> comments, that's 100 iframes on a single web page. Don't tell me that's
> an elegant solution.
Why wouldn't have you have comment sanitization? Nope that you could use
data: URIs on the <iframe>s.
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
More information about the whatwg
mailing list