[whatwg] The <iframe> element and sandboxing ideas
Kristof Zelechovski
giecrilj at stegny.2a.pl
Thu May 22 08:13:57 PDT 2008
Legacy browsers will use @SRC which must be filtered. They will ignore the
new content (whatever the attribute name will be) altogether so it need not
be filtered. Fallback @SRC can contain a URL to an error page saying "Sorry,
not in your browser".
Chris
-----Original Message-----
From: whatwg-bounces at lists.whatwg.org
[mailto:whatwg-bounces at lists.whatwg.org] On Behalf Of Martin Atkins
Sent: Thursday, May 22, 2008 2:21 PM
To: Ian Hickson
Cc: public-webapi at w3.org; whatwg; HTMLWG
Subject: Re: [whatwg] The <iframe> element and sandboxing ideas
Ian Hickson wrote:
> Summary:
>
> * I've added a sandbox="" attribute to <iframe>, which by default
> disables a number of features and takes a space-separated list of
> features to re-enable:
>
[snip list]
Unless I'm missing something, this attribute is useless in practice
because legacy browsers will not impose the restrictions. This means
that as long as legacy browsers exist (i.e. forever) server-side
filtering must still be employed to duplicate the effects of the sandbox.
More information about the whatwg
mailing list