[whatwg] <object> behavior

Ian Hickson ian at hixie.ch
Sun Oct 18 14:48:51 PDT 2009

On Sun, 18 Oct 2009, Ben Laurie wrote:
> > but if you want a very specific type used for a plugin, you can use 
> > <embed>.
> So what's the difference between <embed> and <object>?

<embed> only allows plugins; <object> also allows other things, like HTML 
and images.

> > If you just want to allow the untrusted site to do anything, but in 
> > their own security context so it can't harm your site, use <iframe>.
> iframe is insufficient to prevent untrusted content from doing harm. It 
> also makes it painful to communicate with the untrusted content.

Both of these issues are addressed in HTML5, with sandbox="" on <iframe>, 
and postMessage() on Window. Hopefully that will make things better on the 
long term.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list