[whatwg] <object> behavior

[Ian Hickson]

On Sun, 18 Oct 2009, Ben Laurie wrote:
> 
> > but if you want a very specific type used for a plugin, you can use 
> > <embed>.
> 
> So what's the difference between <embed> and <object>?

<embed> only allows plugins; <object> also allows other things, like HTML 
and images.


> > If you just want to allow the untrusted site to do anything, but in 
> > their own security context so it can't harm your site, use <iframe>.
> 
> iframe is insufficient to prevent untrusted content from doing harm. It 
> also makes it painful to communicate with the untrusted content.

Both of these issues are addressed in HTML5, with sandbox="" on <iframe>, 
and postMessage() on Window. Hopefully that will make things better on the 
long term.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'