[whatwg] The <iframe> element and sandboxing ideas
Frode Børli
frode at seria.no
Wed Jul 23 16:07:07 PDT 2008
I am not sure - the sandbox should not allow any scripts at all, that is my
only requirement. More advanced requirements can be taken care of server
side.
The issue I want sandbox for is that it allows us to introduce other ways to
embed scripts in tags in the future. Imagine this becoming legal in HTML 6
for some reason:
<td colspan='javascript(a + 5)'></td>
Where a javascript returns the value in the colspan attribute. Many server
side HTML sanitizers would have to be updated - unless we introduce a proper
sandbox.
Of course a white list could be nice - but sending a list of 50+ tags for
each item in a guestbook is a bit much. CSS syntax could be used for such a
whitelist; a[href],span[style],area[alt|href] etc. With no whitelist -
everything should be allowed, except scripts.
Frode
2008/7/23 James Ide <ide at berkeley.edu>:
> On Tue, Jul 22, 2008 at 3:22 PM, Frode Børli <frode at seria.no> wrote:
>
>> The server must escape all user generated content by replacing < with
>> < etc. This is perfectly secure for all existing browsers. The
>> sandbox instructs the browser to unescape. Completely fail safe for
>> all.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080724/d8fb6267/attachment.htm>
More information about the whatwg
mailing list