[whatwg] some thoughts on sandboxed IFRAMEs

[Michal Zalewski]

> Nah, token-guarding is no good. [...] More importantly, though,
> it puts a significant burden on authors to generate unpredictable
> tokens.

Btw, just to clarify - I am not proposing this instead of the current
method; we could very well allow token-guarded sandboxing on divs /
spans, and sandboxing sans tokens on iframes, without making the
mechanism much more complicated or unintuitive. Iframes solve one
class of problems (mostly, sandboxing entire pages or larger blobs of
text, with certain performance and usability trade-offs); lightweight
divs / spans solve another (easy and low-cost sandboxing of small
snippets of user input) in a conceptually similar way.

If we do not address that second need, we are bound to see completely
different mechanisms emerge (such as the toStaticHTML variants), with
different semantics, security controls, and filtering granularity,
which I think is suboptimal. And since these mechanisms are limited to
JS, we may eventually see a third class of solutions emerge at some
point, which is really, all too reminiscent of the misery with 5 or so
flavors of SOP. So my general concern is this; token-guarded tags may
not be the best way to do it, but still.

/mz