[whatwg] The <iframe> element and sandboxing ideas

Kristof Zelechovski giecrilj at stegny.2a.pl
Thu May 22 08:13:57 PDT 2008


Legacy browsers will use @SRC which must be filtered.  They will ignore the
new content (whatever the attribute name will be) altogether so it need not
be filtered. Fallback @SRC can contain a URL to an error page saying "Sorry,
not in your browser".
Chris

-----Original Message-----
From: whatwg-bounces at lists.whatwg.org
[mailto:whatwg-bounces at lists.whatwg.org] On Behalf Of Martin Atkins
Sent: Thursday, May 22, 2008 2:21 PM
To: Ian Hickson
Cc: public-webapi at w3.org; whatwg; HTMLWG
Subject: Re: [whatwg] The <iframe> element and sandboxing ideas

Ian Hickson wrote:
> Summary:
> 
>  * I've added a sandbox="" attribute to <iframe>, which by default
>    disables a number of features and takes a space-separated list of
>    features to re-enable:
> 
[snip list]

Unless I'm missing something, this attribute is useless in practice 
because legacy browsers will not impose the restrictions. This means 
that as long as legacy browsers exist (i.e. forever) server-side 
filtering must still be employed to duplicate the effects of the sandbox.






More information about the whatwg mailing list