Kristof Zelechovski wrote:
1. Nested browsing contexts in a sandboxed frame cannot be created
dynamically but they can be defined by the inner markup.
There was no mention of "dynamically" in Ian's proposal. My assumption
was that "cannot create browsing contexts" meant just that. If it
doesn't, the wording needs some changes.
2. If the frame is not allowed to execute scripts, setting location to
script should have no effect.
OK. Again, that was not clear in the original proposal.
4. Percentage in height scales to the container's height, not to the initial
dimensions of the current element. It is an error if the container's height
is left implicit
It's not an error in CSS. Or are you suggesting a different algorithm?
or if the sum of percentages exceeds 100%.
Again, not a problem in CSS. Percentages of auto just get treated as
auto. If you're suggesting a totally different algorithm, it needs a
lot of fleshing out.
5. The argument against SANDBOX is that the user could inject /SANDBOX. The
argument against code attribute is that the user could inject a quote.
Aren't these similar enough to reconsider SANDBOX?
SANDBOX and the non-base64 attribute thing seem pretty similar in a lot
of ways to me, except that the iframe (having a separate Window and
such) might be easier to secure in existing implementations.
-Boris