[whatwg] The <iframe> element and sandboxing ideas

Ian Hickson ian at hixie.ch
Fri Feb 13 13:54:51 PST 2009

(Please pick one mailing list when replying, so as to reduce 

On Thu, 22 May 2008, Martin Atkins wrote:
> > 
> >  * I've added a sandbox="" attribute to <iframe>, which by default
> >    disables a number of features and takes a space-separated list of
> >    features to re-enable:
> Unless I'm missing something, this attribute is useless in practice 
> because legacy browsers will not impose the restrictions. This means 
> that as long as legacy browsers exist (i.e. forever) server-side 
> filtering must still be employed to duplicate the effects of the 
> sandbox.
> One alternative would be to use a different element name so that 
> fallback content can be provided for legacy browsers. In the short term, 
> this is likely to be something like this:
> <sandbox src="/comments/blah">
> <iframe src="/comments/blah?do-security-filtering=1"></iframe>
> </sandbox>
> Once a large percentage of browsers support <sandbox> authors can start 
> to be less accommodating with their fallback content, either by 
> filtering out HTML tags entirely (which I'd assume is easier than just 
> filtering out script) or at the extreme just setting the fallback 
> content to be "Your browser is not supported".

One can just do:

   <iframe sandbox src="/comments/blah?do-security-filtering=1"></iframe>

The "sandbox" feature just provides one more level of defence in depth, 
and is not intended to be a complete security solution.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list