[whatwg] Sandboxing to accommodate user generated content.

Anne van Kesteren annevk at opera.com
Tue Jun 17 04:50:57 PDT 2008

On Tue, 17 Jun 2008 06:09:55 +0200, Frode Børli <frode at seria.no> wrote:
> Hi! I am a new member of this mailing list, and I wish to contribute  
> with a couple of specific requirements that I believe should be  
> discussed and
> perhaps implemented in the final specification. I am unsure if this is  
> the correct place to post my ideas (or if my ideas are even new), but if  
> it is not, then I am sure somebody will instruct me. :) One person told  
> me that
> the specification was finished and no new features would be added from  
> now on - but hopefully that is not true.

That is actually true. However, sandboxing has been proposed in the past  
and is therefore still considered in scope. (Unless of course we decide  
it's out of scope, but given the sandboxing features already in the  
specification, I expect that to be not the case.)

> One solution:
> <htmlarea>User generated content</htmlarea>

As you note this solution has significant issues. Besides inserting  
</htmlarea> it would also allow execution of scripts in legacy user agents  
and is therefore not really backwards compatible.

I believe the idea to deal with this is to add another attribute to  
<iframe>, besides sandbox="" and seamless="" we already have for  
sandboxing. This attribute, doc="", would take a string of markup where  
you would only need to escape the quotation character used (so either ' or  
"). The fallback for legacy user agents would be the src="" attribute.

Anne van Kesteren

More information about the whatwg mailing list