[whatwg] The <iframe> element and sandboxing ideas

Frode Børli frode at seria.no
Mon Jul 21 15:35:03 PDT 2008


I like the proposal of adding a "seamless" attribute to the iframe element,
though it should perhaps be added using CSS since it applies to styling?

I also want the following:

<span sandbox=1> </span>

This is because a typical Web 2.0 usage is to have a list of comments with a
thumbs up/thumbs down for each message. This requires more fine grained
control of what is user generated content and what is scripted content.

The problem is 1: that the user can easily write </span> in his comment and
bypass the sandbox and 2: it is not backward compatible.

This is prevented by requiring anything inside a sandbox being entity
escaped:

<span sandbox=1> </span> </span>

If the browser finds unescaped content inside a sandbox it should refuse to
display the page - thereby forcing the author to fix this immediately.

Any comments?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080722/8b1ac810/attachment-0001.htm>


More information about the whatwg mailing list