[whatwg] Sandboxing ideas

Dean Edwards dean at edwards.name
Tue May 8 09:32:14 PDT 2007

Ian Hickson wrote:
> A number of people made proposals related to sandboxing content to improve 
> Web security.

> On Fri, 15 Dec 2006, Dean Edwards wrote:
>> When creating DHTML widgets (e.g. a colour picker) developers have to 
>> battle the CSS cascade. A widget might be made of various HTML elements 
>> which inherit style from the page. Sometimes inherited styles can mess 
>> with the layout of your widget. So we end up coding stuff like this:
>> #widget div {margin: 0 !important; padding: 0 !important;}
>> #widget input {border: 0 !important;}
>> You can't realistically cover all the cases so potentially a new style rule
>> can ruin your widget layout completely.
>> So I'm suggesting a new element: <reset>
>> This element is in the document flow as normal except that it acts as a 
>> blank canvas as far as CSS is concerned. Ideally, it should have no 
>> style at all. Like this:
>> http://developer.yahoo.com/yui/reset/
>> The <reset> element acts as a container for HTML elements that are not 
>> included in the CSS cascade. That way we can build and style widgets 
>> without worrying about the page that will contain them.
> This sounds very much like something you'd do with XBL, no? Could you 
> elaborate on the use case? I mean, colour pickers are the poster child of 
> XBL use cases.

XBL has an attribute to cover inherited styles, so you're right. 
Realistically, I can't see Microsoft ever implementing XBL (I hope I'm 
wrong). So adding it to HTML might be the only way to achieve this 

All of the use cases will almost certainly overlap with XBL use cases.


> On Fri, 15 Dec 2006, Dean Edwards wrote:
>> I would still like a way to prevent CSS inheritance though. So far the 
>> suggestions are:
>> 1. <reset> element
>> 2. inheritstyle="false" attribute
>> 3. cascade:off; CSS property
>> I don't really mind which one it is. None of them seems particularly 
>> wrong.
> Is it really inheritance you want to stop? Wouldn't you want to stop all 
> styles from applying at that point? e.g. if someone had:
>    * { border: solid; }
> The 'border' property isn't inherited, but would yous till want the border 
> rule to not apply to the "widget"?

Good point, it's not just inherited styles. In which case only the first 
choice, a <reset> element, is sufficient.

Some other nice-to-haves:

* this element would have its own JavaScript namespace
  - scripts contained by the element would be bound to that namespace
  - a <reset> element is allowable in <head>
* can validly contain a <style> element

Kind of like an <iframe> but without an external source.


More information about the whatwg mailing list