[whatwg] The <iframe> element and sandboxing ideas

Ian Hickson ian at hixie.ch
Tue Feb 17 17:41:35 PST 2009

(Please only cc one mailing list when replying.)

On Wed, 2 Jul 2008, Mike Ter Louw wrote:
> > 
> > There are various things that this doesn't address yet; e.g. there's 
> > no way to force (or even allow) a non-seamless iframe to open links in 
> > the parent window.
> There also does not seem to be a way for embedding untrusted content in 
> a unique browsing context (i.e., different origin) that allows scripting 
> and is seamless with the surrounding document.

Indeed. Allowing seamless rendering across origins is a security risk for 
the inner frame (e.g. you could hide everything but one button, and have 
the user click that button unknowingly). Allowing this would make 
clickjacking look like a joke. :-)

> Here's another perspective: Is HTML 5 going to provide sufficient 
> flexibility to enable web authors to safely embed untrusted content, or 
> will future generations of web apps continue to rely on content 
> filtering/sanitization techniques for restricting capabilities of 
> untrusted content?

Filtering will always be important, I expect, for downlevel clients if 
nothing else.

> > This isn't very readable, I'll grant you. I'm thinking of introducing 
> > a new attribute. I haven't worked out what to call it yet, but 
> > definitely not "src", "source", "src2", "content", "value", or "data" 
> > -- maybe "html" or "doc", though neither of those are great. This 
> > attribute would take a string which would then be interpreted as the 
> > source document markup of an HTML document, much like the above; it 
> > would override src="" if it was present, allowing src="" to be used 
> > for legacy UAs:
> This new attribute, along with some form of content encoding (e.g., data 
> URI scheme), could be very important to the usefulness of the seamless 
> and sandbox attributes in some applications.  Is the hold up just 
> indecision about naming? How about "text" or "document"?

The hold-up is that I don't want to add this to the spec before we have 
experience from implementors showing that sandbox= and seamless= are a 
good idea at all.

(You also requested examples, which I'll be adding in due course.)

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list