[whatwg] Sandboxing scripts in pages

Anne van Kesteren annevk at opera.com
Fri Jan 12 13:14:44 PST 2007

On Fri, 12 Jan 2007 22:09:40 +0100, Asbjørn Ulsberg  
<asbjorn at tigerstaden.no> wrote:
>> Use an <iframe> and use cross-document messaging? This has been  
>> discussed a lot by the way.
> Frames are a terrible solution. The content is after all a part of the  
> page it's hosted in, but we want to sandbox it to make sure it can't do  
> any harm.

The proposed alternative is severely underdefined and won't work for the  
foreseeable future anyway.

> Let's say we'd like to sandbox anonymous user-contributed comments on a  
> blog, but not comments from logged in users. That would require all  
> anonymous comments to be placed within an iframe. For 100 anonymous  
> comments, that's 100 iframes on a single web page. Don't tell me that's  
> an elegant solution.

Why wouldn't have you have comment sanitization? Nope that you could use  
data: URIs on the <iframe>s.

Anne van Kesteren

More information about the whatwg mailing list