[whatwg] <object> behavior
Ian Hickson
ian at hixie.ch
Sun Oct 18 14:48:51 PDT 2009
On Sun, 18 Oct 2009, Ben Laurie wrote:
>
> > but if you want a very specific type used for a plugin, you can use
> > <embed>.
>
> So what's the difference between <embed> and <object>?
<embed> only allows plugins; <object> also allows other things, like HTML
and images.
> > If you just want to allow the untrusted site to do anything, but in
> > their own security context so it can't harm your site, use <iframe>.
>
> iframe is insufficient to prevent untrusted content from doing harm. It
> also makes it painful to communicate with the untrusted content.
Both of these issues are addressed in HTML5, with sandbox="" on <iframe>,
and postMessage() on Window. Hopefully that will make things better on the
long term.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list