[whatwg] Sandboxing ideas
Michel Fortin
michel.fortin at michelf.com
Mon May 14 13:29:57 PDT 2007
Le 2007-05-14 à 16:02, Jon Barnett a écrit :
> On 5/14/07, Michel Fortin <michel.fortin at michelf.com> wrote:
> Le 2007-05-14 à 11:35, Alexey Feldgendler a écrit :
>
> > I'd treat these two problems as equally important. A separate HTTP
> > request per forum comment on the page is completely unacceptable.
>
> What about encoding the content of each comment iframe in a "data:"
> URI?
>
> The contents of an iframe with a data: URI source should be
> trusted, unlike an iframe with an http: URI source from another
> domain. A script in an iframe with a data: URI source should, by
> default, be able to communicate with the parent window. So, that
> alone doesn't solve the problem.
I was pointing out a solution for the problem of separate HTTP
requests on a forum page. Used in conjunction with some previously-
suggested security attributes on <iframe>, it could do a pretty good
sandbox for use comments on a page.
If you want the sandbox to degrade securely in older browsers, then
this is not a solution. But I don't think there's a nice solution to
that anyway.
Michel Fortin
michel.fortin at michelf.com
http://www.michelf.com/
More information about the whatwg
mailing list