[whatwg] Sandboxing ideas
Alexey Feldgendler
alexey at feldgendler.ru
Mon May 14 13:19:06 PDT 2007
On Mon, 14 May 2007 22:02:42 +0200, Jon Barnett <jonbarnett at gmail.com>
wrote:
>>> I'd treat these two problems as equally important. A separate HTTP
>>> request per forum comment on the page is completely unacceptable.
>> What about encoding the content of each comment iframe in a "data:" URI?
> The contents of an iframe with a data: URI source should be trusted,
> unlike
> an iframe with an http: URI source from another domain. A script in an
> iframe with a data: URI source should, by default, be able to communicate
> with the parent window. So, that alone doesn't solve the problem.
Not to mention that data: URIs are ugly, wasteful (because of the BASE64
encoding), cannot be read and written by humans directly, and have maximum
length problems in some implementations.
--
Alexey Feldgendler <alexey at feldgendler.ru>
[ICQ: 115226275] http://feldgendler.livejournal.com
More information about the whatwg
mailing list