[whatwg] The <iframe> element and sandboxing ideas
whatwg at adambarth.com
Fri Feb 13 15:50:42 PST 2009
On Fri, Feb 13, 2009 at 3:06 PM, Ian Hickson <ian at hixie.ch> wrote:
> Indeed. If someone can come up with a way of making this work in legacy
> UAs, I'd certainly be happy to change the spec to do that.
Here's a suggestion. When requesting the contents of a sandboxed
iframe, send an HTTP header that contains the sandbox policy:
X-HTML-Sandbox-Policy: allow-forms, allow-scripts
Servers can decide not to serve untrusted content if they don't see a
sandbox policy they like.
More information about the whatwg