[whatwg] The <iframe> element and sandboxing ideas
Boris Zbarsky
bzbarsky at MIT.EDU
Thu May 22 20:19:12 PDT 2008
Kristof Zelechovski wrote:
> 1. Nested browsing contexts in a sandboxed frame cannot be created
> dynamically but they can be defined by the inner markup.
There was no mention of "dynamically" in Ian's proposal. My assumption
was that "cannot create browsing contexts" meant just that. If it
doesn't, the wording needs some changes.
> 2. If the frame is not allowed to execute scripts, setting location to
> script should have no effect.
OK. Again, that was not clear in the original proposal.
> 4. Percentage in height scales to the container's height, not to the initial
> dimensions of the current element. It is an error if the container's height
> is left implicit
It's not an error in CSS. Or are you suggesting a different algorithm?
> or if the sum of percentages exceeds 100%.
Again, not a problem in CSS. Percentages of auto just get treated as
auto. If you're suggesting a totally different algorithm, it needs a
lot of fleshing out.
> 5. The argument against SANDBOX is that the user could inject /SANDBOX. The
> argument against code attribute is that the user could inject a quote.
> Aren't these similar enough to reconsider SANDBOX?
SANDBOX and the non-base64 attribute thing seem pretty similar in a lot
of ways to me, except that the iframe (having a separate Window and
such) might be easier to secure in existing implementations.
-Boris
More information about the whatwg
mailing list