[whatwg] The <iframe> element and sandboxing ideas

[Adam Barth]

On Fri, Feb 13, 2009 at 3:06 PM, Ian Hickson <ian at hixie.ch> wrote:
> Indeed. If someone can come up with a way of making this work in legacy
> UAs, I'd certainly be happy to change the spec to do that.

Here's a suggestion.  When requesting the contents of a sandboxed
iframe, send an HTTP header that contains the sandbox policy:

X-HTML-Sandbox-Policy: allow-forms, allow-scripts

Servers can decide not to serve untrusted content if they don't see a
sandbox policy they like.

Adam