[whatwg] <banner> as a dedicated tag
ian at hixie.ch
Fri Jun 3 16:11:05 PDT 2011
On Wed, 23 Feb 2011, Martin Stender wrote:
> I've been searching the archives for some discussions about the need for
> a dedicated banner-tag [...]. Several places on our site, we have markup
> like this:
> <div class="banner_300">
> So the ad-managing system injects whatever is supposed to sit inside
> that div-tag, into our dom. I believe that is the way most commercial
> sites handles this task.
> While we trust both our ad-team, our ad-management system, our customers
> and their ad-agencies - *nothing* really prevents either a human error
> or some 'evil-doers' (tm) from taking over the entire page this way. In
> reality, of course, human error would be the case in almost all cases of
> mishap, but everything is possible.
> So it would be great to have the ability to just insert a <banner>-tag,
> knowing that whatever goes on in side that tag, cannot alter the page
> itself. You should be able to grant the tag access to read various
> values of the surrounding page, though.
On Wed, 23 Feb 2011, Tab Atkins Jr. wrote:
> Let me attempt to summarize your use-case:
> I have untrusted markup from a third party which I would like to
> safely insert into my page, knowing that the rest of my page is safe
> from whatever the untrusted markup is doing. Also, the untrusted
> markup may be doing expensive things, particularly on load, so I'd
> like to wait until after the rest of the page is loaded before loading
> the markup.
> Is this accurate? Correct me if not, but I'll assume it is for now.
> This is precisely what <iframe sandbox> is designed for. You can use a
> sandboxed iframe to isolate things from the rest of your page while
> still allowing them to run script and generally do arbitrary unknown
> If the network request that <iframe>s normally kick off is undesirable,
> you can use the @srcdoc attribute to get around this. Using @srcdoc, you
> can either safely embed the untrusted markup directly in your page
> (it'll still only run in the sandbox), or easily set it from script. (
> var bannermarkup = "<p>some markup here</p>"; banneriframe.srcdoc =
> bannermarkup; )
> I know that iframes don't stop the rest of the page from rendering while
> they load. I can't recall off the top of my head whether they delay the
> load event or not. If they do, and this is a problem, you can easily
> just set up a script which listens for the load event and then sets the
> @src or @srcdoc of the iframe.
I haven't added a <banner> element, since it seems <iframe> already
handles this. Is that sufficient?
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg