[whatwg] The <iframe> element and sandboxing ideas

Frode Børli frode at seria.no
Wed Jul 23 16:07:07 PDT 2008


I am not sure - the sandbox should not allow any scripts at all, that is my
only requirement. More advanced requirements can be taken care of server
side.

The issue I want sandbox for is that it allows us to introduce other ways to
embed scripts in tags in the future. Imagine this becoming legal in HTML 6
for some reason:

<td colspan='javascript(a + 5)'></td>

Where a javascript returns the value in the colspan attribute. Many server
side HTML sanitizers would have to be updated - unless we introduce a proper
sandbox.

Of course a white list could be nice - but sending a list of 50+ tags for
each item in a guestbook is a bit much. CSS syntax could be used for such a
whitelist; a[href],span[style],area[alt|href] etc. With no whitelist -
everything should be allowed, except scripts.

Frode

2008/7/23 James Ide <ide at berkeley.edu>:

>  On Tue, Jul 22, 2008 at 3:22 PM, Frode Børli <frode at seria.no> wrote:
>
>> The server must escape all user generated content by replacing < with
>> &lt; etc. This is perfectly secure for all existing browsers. The
>> sandbox instructs the browser to unescape. Completely fail safe for
>> all.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080724/d8fb6267/attachment.htm>


More information about the whatwg mailing list