[whatwg] Comments on @sandbox
Ian Hickson
ian at hixie.ch
Tue Jan 12 03:47:27 PST 2010
On Thu, 5 Nov 2009, Adam Barth wrote:
>
> If a page contains a sandboxed frame, the document contained in the
> frame is only sandboxed because the user encountered the document via
> the frame. If the use encounters the same document directly (e.g., in a
> top-level browsing context), then the document will not be sandboxed.
>
> I recommend letting servers deliver the sandbox policy both via the
> sandbox attribute and via an HTTP header. The value of the HTTP header
> approach is that the document will be sandboxed in whatever context the
> user agent loads the document. For various esoteric reasons, I wrote up
> a description of how this might work on Mozilla's Wiki:
> <https://wiki.mozilla.org/Security/CSP/Sandbox>.
Based on our discussion, and inspired by Helen Wang's proposal, I've
introduced a new MIME type text/sandboxed-html for this case. I expect CSP
will make this more powerful going forward, but CSP doesn't solve the
problem for legacy browsers, which this does.
(I'll be doing more work on sandbox="" in the near future. Sorry for not
getting through all the backlog today.)
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list