[whatwg] The <iframe> element and sandboxing ideas
Ian Hickson
ian at hixie.ch
Fri Feb 13 13:54:51 PST 2009
(Please pick one mailing list when replying, so as to reduce
cross-posting.)
On Thu, 22 May 2008, Martin Atkins wrote:
> >
> > * I've added a sandbox="" attribute to <iframe>, which by default
> > disables a number of features and takes a space-separated list of
> > features to re-enable:
>
> Unless I'm missing something, this attribute is useless in practice
> because legacy browsers will not impose the restrictions. This means
> that as long as legacy browsers exist (i.e. forever) server-side
> filtering must still be employed to duplicate the effects of the
> sandbox.
>
> One alternative would be to use a different element name so that
> fallback content can be provided for legacy browsers. In the short term,
> this is likely to be something like this:
>
> <sandbox src="/comments/blah">
> <iframe src="/comments/blah?do-security-filtering=1"></iframe>
> </sandbox>
>
> Once a large percentage of browsers support <sandbox> authors can start
> to be less accommodating with their fallback content, either by
> filtering out HTML tags entirely (which I'd assume is easier than just
> filtering out script) or at the extreme just setting the fallback
> content to be "Your browser is not supported".
One can just do:
<iframe sandbox src="/comments/blah?do-security-filtering=1"></iframe>
The "sandbox" feature just provides one more level of defence in depth,
and is not intended to be a complete security solution.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list