[whatwg] The <iframe> element and sandboxing ideas
Ian Hickson
ian at hixie.ch
Tue Feb 17 17:41:35 PST 2009
(Please only cc one mailing list when replying.)
On Wed, 2 Jul 2008, Mike Ter Louw wrote:
> >
> > There are various things that this doesn't address yet; e.g. there's
> > no way to force (or even allow) a non-seamless iframe to open links in
> > the parent window.
>
> There also does not seem to be a way for embedding untrusted content in
> a unique browsing context (i.e., different origin) that allows scripting
> and is seamless with the surrounding document.
Indeed. Allowing seamless rendering across origins is a security risk for
the inner frame (e.g. you could hide everything but one button, and have
the user click that button unknowingly). Allowing this would make
clickjacking look like a joke. :-)
> Here's another perspective: Is HTML 5 going to provide sufficient
> flexibility to enable web authors to safely embed untrusted content, or
> will future generations of web apps continue to rely on content
> filtering/sanitization techniques for restricting capabilities of
> untrusted content?
Filtering will always be important, I expect, for downlevel clients if
nothing else.
> > This isn't very readable, I'll grant you. I'm thinking of introducing
> > a new attribute. I haven't worked out what to call it yet, but
> > definitely not "src", "source", "src2", "content", "value", or "data"
> > -- maybe "html" or "doc", though neither of those are great. This
> > attribute would take a string which would then be interpreted as the
> > source document markup of an HTML document, much like the above; it
> > would override src="" if it was present, allowing src="" to be used
> > for legacy UAs:
>
> This new attribute, along with some form of content encoding (e.g., data
> URI scheme), could be very important to the usefulness of the seamless
> and sandbox attributes in some applications. Is the hold up just
> indecision about naming? How about "text" or "document"?
The hold-up is that I don't want to add this to the spec before we have
experience from implementors showing that sandbox= and seamless= are a
good idea at all.
(You also requested examples, which I'll be adding in due course.)
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list