Legacy browsers will use @SRC which must be filtered. They will ignore the new content (whatever the attribute name will be) altogether so it need not be filtered. Fallback @SRC can contain a URL to an error page saying "Sorry, not in your browser". Chris
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Martin Atkins Sent: Thursday, May 22, 2008 2:21 PM To: Ian Hickson Cc: email@example.com; whatwg; HTMLWG Subject: Re: [whatwg] The <iframe> element and sandboxing ideas Ian Hickson wrote: > Summary: > > * I've added a sandbox="" attribute to <iframe>, which by default > disables a number of features and takes a space-separated list of > features to re-enable: > [snip list] Unless I'm missing something, this attribute is useless in practice because legacy browsers will not impose the restrictions. This means that as long as legacy browsers exist (i.e. forever) server-side filtering must still be employed to duplicate the effects of the sandbox.