bzbarsky at MIT.EDU
Tue Nov 30 13:51:28 PST 2010
On 11/30/10 2:37 PM, Darin Adler wrote:
the handler for it will by default only run in a sandbox and only if the
security context is known. The security context is often not known
(e.g. for <img src> it's not known). And running not in a sandbox
requires explicit caller opt-in.
So the net result is pretty similar.
But these are all implementation details. As far as authors are
trying to load it runs script. Any deviation from this is additional
complexity for authors; the further the deviation the more complexity.
The question is how much complexity is warranted.
frame/iframe/toplevel documents is simplest on implementors. It'd be
pretty easy to get there in Gecko; we'd just remove some code in
<object> and change the default execution policy from "sandbox" to
"don't execute". So I agree with Philip that for UAs this is the
quickest path to convergence. But is the result what we want for the
More information about the whatwg