[whatwg] some thoughts on sandboxed IFRAMEs

Michal Zalewski lcamtuf at coredump.cx
Sun Dec 13 13:30:33 PST 2009


> The @sandbox seems like a better fit for the advertising use case.

I am not contesting this, to be clear - I am aware of many cases where
it would be very useful - but gadgets are a fairly small part of the
Internet, and seems like a unified solution would be more desirable
than several very different APIs with different granularity.

The toStaticHTML-alike will address another specific uses, but will
leave applications that can't rely on JS exclusively for their
rendering needs (which I'd wager is still a majority) out in the cold;
which would probably lead to a yet another XSS prevention / HTML
sandboxing approach emerging later on.

I haven't really seen a compelling argument why all these can't be
unified without a significant increase in code or spec complexity -
maybe one exists.

More importantly, some of the features of @sandbox (e.g.,
allow-same-origin), as well as some of the examples in the spec, seem
to be explicitly targeted for other use cases, which makes me think
this is not the consensus between the authors; and the particular
same-origin "user content" example would promote highly unsafe coding
practices if ever followed. So it seems to me like such a narrow use
case is not even the consensus between authors?

Cheers,
/mz



More information about the whatwg mailing list