[whatwg] The <iframe> element and sandboxing ideas
shogun70 at westnet.com.au
Thu May 22 20:41:45 PDT 2008
Ian Hickson wrote:
> I'm thinking of introducing a
> new attribute. I haven't worked out what to call it yet, but definitely
> not "src", "source", "src2", "content", "value", or "data" -- maybe
> "html" or "doc", though neither of those are great. This attribute would
> take a string which would then be interpreted as the source document
> markup of an HTML document, much like the above; it would override src=""
> if it was present, allowing src="" to be used for legacy UAs:
> <iframe seamless sandbox="allow-scripts allow-forms" doc="
> <!DOCTYPE HTML>
> Welcome to my blog!
> <a href='#' onclick='alert(document.cookie)'>Click here</a>
> (There are things we can do to make this better, e.g. make the <!DOCTYPE
> HMTL> and <title></title> bits implicit, maybe introducing type="" to say
> whether it's HTML or XML instead of only supporting HTML, maybe saying
> that if src="" and doc="" are both specified they must have identical
> data, etc.)
> Comments and suggestions on this are welcome. I haven't added it to the
> spec yet. I do agree that without this or something equivalent that we
> don't have a solution for sandboxing embedded blog comments yet.
I was wondering if you could use the content of the iframe as the source
for the iframe document.
By my testing (FF2, FF3b, Saf2, Saf3, Opera9.2, IE6) it seems that
current browsers ignore content inside an <iframe>. So this degrades
safely for HTML.
The content is available with innerHTML on IE6 and textContent on the
others except Safari-2. So you could possibly emulate the HTML5 behavior
This idea doesn't adapt so readily to XHTML.
In XHTML the iframe content is also parsed as XHTML, but is not
displayed. Unfortunately Safari and Opera execute any scripts. You could
put the content in a cdata-section, but it feels wrong.
Sorry if this has been discussed before - I couldn't find anything when
I searched the list.
More information about the whatwg