On 5/15/07, <b class="gmail_sendername">Kristof Zelechovski</b> <<a href="mailto:email@example.com">firstname.lastname@example.org</a>> wrote:<div><span class="gmail_quote"></span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
The OP probably meant that maintaining so many contexts would cause a<br>comparable deterioration in performance. All user comments should be put in<br>one security context.<br>With all comments grouped together in such a manner, you could even use an
<br>inline frame.<br>Chris</blockquote><div><br>I really think comments are a bad use case. Why would someone allow scripts in comments in any context, much less a sandboxed one?<br><br>The best use case I have thought of so far is MySpace et. al., a site where users have their own page with limited permission in the context of the overall site. MySpace solves this by not allowing scripts at all, as most such web sites do. If possible, such sites might allow a user to insert widget scripts with limited permissions. For this use case, iframe isn't ideal, either, but limited scripting and styling are desired.