[whatwg] Sandboxing scripts in pages
mail at jorgenhorstink.nl
Fri Jan 12 15:34:44 PST 2007
On Jan 12, 2007, at 10:30 PM, James M Snell wrote:
> Anne van Kesteren wrote:
>>> Frames are a terrible solution. The content is after all a part
>>> of the
>>> page it's hosted in, but we want to sandbox it to make sure it can't
>>> do any harm.
>> The proposed alternative is severely underdefined and won't work
>> for the
>> foreseeable future anyway.
> Minor nit:
> s/proposed alternative/simple strawman to illustrate the point/
> I just want the behavior or something that comes close without
> necessarily having to resort to aggressive filtering. That is, I
> necessarily want to eliminate scripts from the comments, I just
> want to
> be able to limit their impact.
> Either way, I'm fully aware that any new invention here would take a
> while to actually work.
> - James
Please provide a real use case. I second Anne's point of comment
sanitation. Can you give me one single use case when it is useful to
use ECMAScript in a comment on a blog? Secondly, just as Bjoern
states; a malicious script could easily position new element on top
of other elements. Or do you want to restrict that too? I cannot see
what CSS has to do with it, since it is not a style issue, but a DOM
access behavior issue.
More information about the whatwg