[whatwg] Should scripts and plugins in contenteditable content be enabled or disabled?
w3c at adambarth.com
Wed May 19 16:57:25 PDT 2010
On Wed, May 19, 2010 at 4:32 PM, Robert O'Callahan <robert at ocallahan.org> wrote:
> On Wed, May 19, 2010 at 5:35 AM, Ojan Vafai <ojan at chromium.org> wrote:
>> The webkit behavior of allowing all scripts makes the most sense to me. It
>> should be possible to disable scripts, but that capability shouldn't be tied
>> to editability. The clean solution for the CKEditor developer is to use a
>> sandboxed iframe.
> Discussion led to the point that there's a fundamental conflict between
> sandboxed iframes and JS-based framebusting techniques. The point of
> https://bugzilla.mozilla.org/show_bug.cgi?id=519928 is that Web sites using
> JS-based techniques to prevent clickjacking can be thwarted if the
> containing page has a way to disable JS in the child document. Currently
> 'designmode' is usable that way in Gecko, but 'sandbox' would work even
> Maybe sites should all move to declarative techniques such as CSP or
> X-Frame-Options (although there are suggestions that maybe they don't want
> to for some reason --- see
> https://bugzilla.mozilla.org/show_bug.cgi?id=519928#c5 ). But there are
> still issues with existing sites. Should we care?
sites are effective. You can build one that is effective, but you
in that case, it will play nice with @sandbox. I'd recommend that
sites use something declarative, such as X-Frame-Options or
More information about the whatwg