[whatwg] some thoughts on sandboxed IFRAMEs

Ian Hickson ian at hixie.ch
Sun Jan 24 03:24:53 PST 2010


On Sun, 24 Jan 2010, Adam Barth wrote:
> On Sun, Jan 24, 2010 at 11:52 AM, Ian Hickson <ian at hixie.ch> wrote:
> > On Fri, 11 Dec 2009, Michal Zalewski wrote:
> >> 2.1) The ability to disable loading of external resources (images, 
> >> scripts, etc) in the sandboxed document. The common usage scenario is 
> >> when you do not want the displayed document to "phone home" for 
> >> privacy reasons, for example in a web mail system.
> >
> > Good point. Should we make sandbox="" disable off-origin network 
> > requests?
> 
> In general, stopping malicious content from exfiltrating data isn't 
> practical.  For example, even including a single hyperlink is often 
> sufficient to exfiltrate a large amount of data.  In user agents that 
> prefetch DNS, the user doesn't even need to click on the link.

Ok. Then I won't add it.


> > On Sun, 13 Dec 2009, Adam Barth wrote:
> >> I'm very interested in a solution that works for the following use
> >> cases:
> >>
> >> 1) A web page wants to display untrusted (i.e., restricted) HTML
> >> received via cross-site XMLHttpRequest or postMessage.
> >
> > Do you have a concrete use case for which <iframe> doesn't work?
> 
> <iframe sandbox srcdoc> might work nicely for this use case, actually,
> especially because setting srcdoc from the DOM removes the need to
> escape ".

Cool.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'


More information about the whatwg mailing list