[whatwg] The <iframe> element and sandboxing ideas

Ian Hickson ian at hixie.ch
Sun Apr 26 23:10:27 PDT 2009

On Fri, 13 Feb 2009, Adam Barth wrote:
> On Fri, Feb 13, 2009 at 3:06 PM, Ian Hickson <ian at hixie.ch> wrote:
> > Indeed. If someone can come up with a way of making this work in legacy
> > UAs, I'd certainly be happy to change the spec to do that.
> Here's a suggestion.  When requesting the contents of a sandboxed
> iframe, send an HTTP header that contains the sandbox policy:
> X-HTML-Sandbox-Policy: allow-forms, allow-scripts
> Servers can decide not to serve untrusted content if they don't see a
> sandbox policy they like.

Some of the flags can be changed dynamically, so that the server can be 
given one set of flags but other flags actually apply. Does that matter?

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list