[whatwg] The <iframe> element and sandboxing ideas
Martin Atkins
mart at degeneration.co.uk
Thu May 22 05:20:49 PDT 2008
Ian Hickson wrote:
> Summary:
>
> * I've added a sandbox="" attribute to <iframe>, which by default
> disables a number of features and takes a space-separated list of
> features to re-enable:
>
[snip list]
Unless I'm missing something, this attribute is useless in practice
because legacy browsers will not impose the restrictions. This means
that as long as legacy browsers exist (i.e. forever) server-side
filtering must still be employed to duplicate the effects of the sandbox.
One alternative would be to use a different element name so that
fallback content can be provided for legacy browsers. In the short term,
this is likely to be something like this:
<sandbox src="/comments/blah">
<iframe src="/comments/blah?do-security-filtering=1"></iframe>
</sandbox>
Once a large percentage of browsers support <sandbox> authors can start
to be less accommodating with their fallback content, either by
filtering out HTML tags entirely (which I'd assume is easier than just
filtering out script) or at the extreme just setting the fallback
content to be "Your browser is not supported".
This comment does not address "seamless", which seems to be orthogonal
and can thus be equally applied to both sandbox and iframe as currently
specified.
More information about the whatwg
mailing list