[whatwg] Sandboxing scripts in pages

Jorgen Horstink mail at jorgenhorstink.nl
Fri Jan 12 15:34:44 PST 2007


On Jan 12, 2007, at 10:30 PM, James M Snell wrote:

>
> Anne van Kesteren wrote:
>> [snip]
>>>
>>> Frames are a terrible solution. The content is after all a part  
>>> of the
>>> page it's hosted in, but we want to sandbox it to make sure it can't
>>> do any harm.
>>
>> The proposed alternative is severely underdefined and won't work  
>> for the
>> foreseeable future anyway.
>> [snip]
>
> Minor nit:
>
>   s/proposed alternative/simple strawman to illustrate the point/
>
> I just want the behavior or something that comes close without
> necessarily having to resort to aggressive filtering.  That is, I  
> don't
> necessarily want to eliminate scripts from the comments, I just  
> want to
> be able to limit their impact.
>
> Either way, I'm fully aware that any new invention here would take a
> while to actually work.
>
> - James
>
Please provide a real use case. I second Anne's point of comment  
sanitation. Can you give me one single use case when it is useful to  
use ECMAScript in a comment on a blog? Secondly, just as Bjoern  
states; a malicious script could easily position new element on top  
of other elements. Or do you want to restrict that too? I cannot see  
what CSS has to do with it, since it is not a style issue, but a DOM  
access behavior issue.

-- Jorgen




More information about the whatwg mailing list