[whatwg] Should scripts and plugins in contenteditable content be enabled or disabled?

Robert O'Callahan robert at ocallahan.org
Wed May 19 16:32:05 PDT 2010

On Wed, May 19, 2010 at 5:35 AM, Ojan Vafai <ojan at chromium.org> wrote:

> The webkit behavior of allowing all scripts makes the most sense to me. It
> should be possible to disable scripts, but that capability shouldn't be tied
> to editability. The clean solution for the CKEditor developer is to use a
> sandboxed iframe.

Discussion led to the point that there's a fundamental conflict between
sandboxed iframes and JS-based framebusting techniques. The point of
https://bugzilla.mozilla.org/show_bug.cgi?id=519928 is that Web sites using
JS-based techniques to prevent clickjacking can be thwarted if the
containing page has a way to disable JS in the child document. Currently
'designmode' is usable that way in Gecko, but 'sandbox' would work even

Maybe sites should all move to declarative techniques such as CSP or
X-Frame-Options (although there are suggestions that maybe they don't want
to for some reason --- see
https://bugzilla.mozilla.org/show_bug.cgi?id=519928#c5 ). But there are
still issues with existing sites. Should we care?

"He was pierced for our transgressions, he was crushed for our iniquities;
the punishment that brought us peace was upon him, and by his wounds we are
healed. We all, like sheep, have gone astray, each of us has turned to his
own way; and the LORD has laid on him the iniquity of us all." [Isaiah
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20100520/7560765a/attachment-0002.htm>

More information about the whatwg mailing list