Your main point is well taken.
There are some technical reasons why tag whitelisting makes more sense
for inline content. For example, consider the case you mentioned on
webkit-dev: @id. Inline, @id is problematic because the ids exist in
a per-frame namespace, whereas they're harmless when the
The WebKit community is considering taking up such an experimental
implementation. Here's my current proposal for how this might work:
http://docs.google.com/Doc?docid=0AZpchfQ5mBrEZGQ0cDh3YzRfMTJzbTY1cWJrNAhl=en
I would appreciate any feedback on the design.
Whitelist requires developers to
2009/12/1 Kornel Lesiński kor...@geekhood.net:
The WebKit community is considering taking up such an experimental
implementation. Here's my current proposal for how this might work:
http://docs.google.com/Doc?docid=0AZpchfQ5mBrEZGQ0cDh3YzRfMTJzbTY1cWJrNAhl=en
I would appreciate any
And even whitelist for CSS properties couldn't be used to implement
No
external access policy (allow images with data: urls, allow http:
links,
but not http: images). This would be useful for webmails and other
places
where website doesn't want to allow 3rd parties tracking views.
I
2009/12/1 Kornel Lesiński kor...@geekhood.net:
And even whitelist for CSS properties couldn't be used to implement No
external access policy (allow images with data: urls, allow http: links,
but not http: images). This would be useful for webmails and other places
where website doesn't want to
On Fri, Jun 5, 2009 at 5:09 PM, Ian Hickson i...@hixie.ch wrote:
Defining a spec-blessed whitelist of element, attributes, and attribute
values is and filtering at the parser level is a significant new feature.
While I see that it has value, I think on the short term it would be
better to wait
On Nov 30, 2009, at 3:55 PM, Adam Barth wrote:
On Fri, Jun 5, 2009 at 5:09 PM, Ian Hickson i...@hixie.ch wrote:
Defining a spec-blessed whitelist of element, attributes, and
attribute
values is and filtering at the parser level is a significant new
feature.
While I see that it has value,
On Mon, Nov 30, 2009 at 5:43 PM, Maciej Stachowiak m...@apple.com wrote:
1) It seems like this API is harder to use than a sandboxed iframe. To use
it correctly, you need to determine a whitelist of safe elements and
attributes; providing an explicit whitelist at least of tags is mandatory.
On Nov 30, 2009, at 6:32 PM, Adam Barth wrote:
On Mon, Nov 30, 2009 at 5:43 PM, Maciej Stachowiak m...@apple.com
wrote:
1) It seems like this API is harder to use than a sandboxed iframe.
To use
it correctly, you need to determine a whitelist of safe elements and
attributes; providing an