[whatwg] Sandboxing scripts in pages

Mike Schinkel mikeschinkel at gmail.com
Sat Jan 13 06:37:23 PST 2007

James M Snell wrote:
> I've recently been musing over some ideas around sandboxing 
> scripts and styles within a document [1].  
> Thoughts?
> - James
> [1] http://www.snellspace.com/wp/?p=582

Excellent idea!

Bjoern Hoehrmann wrote:
> It would be helpful if you could first explain what pain you 
> are trying to solve and how your solution would solve it. 

A community site could allow user-contributed script to add functionality to
the community on sites such as free-form as a wiki, and hence with
open-ended use cases. But that's not really possible today because the
almost certainty of maliciousness.

Jorgen Horstink wrote: 
> Please provide a real use case. I second Anne's point of 
> comment sanitation. Can you give me one single use case when 
> it is useful to use ECMAScript in a comment on a blog? 

I'm working on such a real world use case and would like to solve the pain.
I'd rather not describe it explicitly yet, but consider a situation where I
have a script that operates on a section of HTML that allows plugs-in from
arbitrary URLs.  A webmaster could use this but would have to trust that the
webmaster of the plugins would not change their script after he used them
and thus would be much less likely to use this functionality. If he could
sandbox it, that requirement for trust would be diminished and it would
increase the likelihood the use of the functionality would spread. FYI, an
IFRAME would NOT work for this use-case as it is about linking script files
ot the main document, not about visual widgets.

BTW, I'd ALSO like a sandbox capability that completely disables script for
use within blog comment sections and forum posts etc.

-Mike Schinkel
"It never ceases to amaze how many people will proactively debate away
attempts to improve the web..."

More information about the whatwg mailing list