Skip to site navigation (Press enter)
Re: The
element and sandboxing ideas</span></a></span> </h1> <p class="darkgray font13"> <span class="sender pipe"><a href="/search?l=public-webapi@w3.org&q=from:%22Boris+Zbarsky%22" rel="nofollow"><span itemprop="author" itemscope itemtype="http://schema.org/Person"><span itemprop="name">Boris Zbarsky</span></span></a></span> <span class="date"><a href="/search?l=public-webapi@w3.org&q=date:20080522" rel="nofollow">Thu, 22 May 2008 09:28:28 -0700</a></span> </p> </div> <div itemprop="articleBody" class="msgBody"> <!--X-Body-of-Message--> <pre style="margin: 0em;"> Ian Hickson wrote: </pre><blockquote style="border-left: #5555EE solid 0.2em; margin: 0em; padding-left: 0.85em"><pre style="margin: 0em;"> - by default, content in sandboxed browsing contexts, and any browsing contexts nested in them </pre></blockquote><pre style="margin: 0em;"></pre><pre> How do those nested browsing contexts come about, given that later you say: > - content in those browsing contexts cannot create new browsing > contexts or open modal dialogs or alerts ? </pre><blockquote style="border-left: #5555EE solid 0.2em; margin: 0em; padding-left: 0.85em"><pre style="margin: 0em;"> have a unique origin (independent of the origin of their URI); this can be overriden using the "allow-same-origin" keyword </pre></blockquote><pre style="margin: 0em;"> So the parent page cannot script the contents of the iframe by default, right? </pre><blockquote style="border-left: #5555EE solid 0.2em; margin: 0em; padding-left: 0.85em"><pre style="margin: 0em;"> - by default, script in those browsing contexts cannot run; this can be overriden using the "allow-scripts" keyword </pre></blockquote><pre style="margin: 0em;"> </pre><tt>What happens if the parent page sets window.location to a javascript: URI on the </tt><tt>sandbox iframe? Does the script run? If so, in which browsing context? </tt><pre style="margin: 0em;"> </pre><blockquote style="border-left: #5555EE solid 0.2em; margin: 0em; padding-left: 0.85em"><pre style="margin: 0em;"> causes the iframe to size vertically to the bounding box of the contents, and horizontally to the width of the container </pre></blockquote><pre style="margin: 0em;"> I assume that the bounding box is computed after setting the width? </pre><tt>By "the width of the container" do you mean that the iframe computed width </tt><tt>should be equal to its containing block's computed width? Or that the </tt><tt>display:block non-replaced width algorithm from CSS should be used? </tt><pre style="margin: 0em;"> </pre><blockquote style="border-left: #5555EE solid 0.2em; margin: 0em; padding-left: 0.85em"><pre style="margin: 0em;"> and which causes the initial containing block of the contents to be treated as zero height. </pre></blockquote><pre style="margin: 0em;"> </pre><tt>So percentage heights would end up being 0, while the iframe would be whatever </tt><tt>height is needed if one assumes they're auto? </tt><pre style="margin: 0em;"> </pre><blockquote style="border-left: #5555EE solid 0.2em; margin: 0em; padding-left: 0.85em"><pre style="margin: 0em;"> and the style sheets that apply to the <iframe> must also apply to the contents. </pre></blockquote><pre style="margin: 0em;"> But the ' ' and '>' combinators don't cross the iframe boundary, right? </pre><blockquote style="border-left: #5555EE solid 0.2em; margin: 0em; padding-left: 0.85em"><tt>This is all HIGHLY EXPERIMENTAL. I am looking for feedback on the general </tt><tt>approaches taken. </tt></blockquote><pre style="margin: 0em;"> </pre><tt>As someone else pointed out, this doesn't seem like it would be usable without </tt><tt>some UA sniffing or something, as things stand. </tt><pre style="margin: 0em;"> </pre><blockquote style="border-left: #5555EE solid 0.2em; margin: 0em; padding-left: 0.85em"><tt>There are various things that this doesn't address yet; e.g. there's no </tt><tt>way to force (or even allow) a non-seamless iframe to open links in the </tt><tt>parent window. </tt></blockquote><pre style="margin: 0em;"> This could be an @sandbox keyword value. </pre><blockquote style="border-left: #5555EE solid 0.2em; margin: 0em; padding-left: 0.85em"><tt>This attribute would </tt><tt>take a string which would then be interpreted as the source document </tt><tt>markup of an HTML document, much like the above </tt></blockquote><pre style="margin: 0em;"> </pre><tt>This seems very prone to security issues (injection of the closing quote in the </tt><tt>content) to me... The base64 approach is nice in that you can't shoot yourself </tt><tt>in the foot with it. </tt><pre style="margin: 0em;"> -Boris </pre> </div> <div class="msgButtons margintopdouble"> <ul class="overflow"> <li class="msgButtonItems"><a class="button buttonleft " accesskey="p" href="msg03717.html">Previous message</a></li> <li class="msgButtonItems textaligncenter"><a class="button" accesskey="c" href="index.html#03718">View by thread</a></li> <li class="msgButtonItems textaligncenter"><a class="button" accesskey="i" href="maillist.html#03718">View by date</a></li> <li class="msgButtonItems textalignright"><a class="button buttonright " accesskey="n" href="msg03719.html">Next message</a></li> </ul> </div> <a name="tslice"></a> <div class="tSliceList margintopdouble"> <ul class="icons monospace"> <li class="icons-email"><span class="subject"><a href="msg03707.html">The <iframe> element and sandboxing ideas</a></span> <span class="sender italic">Ian Hickson</span></li> <li><ul> <li class="icons-email"><span class="subject"><a href="msg03708.html">Re: The <iframe> element and sandboxing ide...</a></span> <span class="sender italic">Andrew Fedoniouk</span></li> <li class="icons-email"><span class="subject"><a href="msg03713.html">Re: The <iframe> element and sandboxing ide...</a></span> <span class="sender italic">Martin Atkins</span></li> <li><ul> <li class="icons-email"><span class="subject"><a href="msg03716.html">Re: The <iframe> element and sandboxing...</a></span> <span class="sender italic">Jon Ferraiolo</span></li> <li><ul> <li class="icons-email"><span class="subject"><a href="msg03748.html">Re: The <iframe> element and sandbo...</a></span> <span class="sender italic">Jon Ferraiolo</span></li> </ul></li> <li class="icons-email"><span class="subject"><a href="msg03717.html">RE: [whatwg] The <iframe> element and s...</a></span> <span class="sender italic">Kristof Zelechovski</span></li> </ul></li> <li class="icons-email tSliceCur"><span class="subject">Re: The <iframe> element and sandboxing ide...</span> <span class="sender italic">Boris Zbarsky</span></li> <li><ul> <li class="icons-email"><span class="subject"><a href="msg03719.html">RE: [whatwg] The <iframe> element and s...</a></span> <span class="sender italic">Kristof Zelechovski</span></li> <li><ul> <li class="icons-email"><span class="subject"><a href="msg03723.html">Re: [whatwg] The <iframe> element a...</a></span> <span class="sender italic">Boris Zbarsky</span></li> </ul></li> </ul></li> <li class="icons-email"><span class="subject"><a href="msg03740.html">Re: [whatwg] The <iframe> element and sandb...</a></span> <span class="sender italic">Ojan Vafai</span></li> <li class="icons-email"><span class="subject"><a href="msg03809.html">Re: [whatwg] The <iframe> element and sandb...</a></span> <span class="sender italic">Jonas Sicking</span></li> <li><ul> <li class="icons-email"><span class="subject"><a href="msg03812.html">Re: [whatwg] The <iframe> element and s...</a></span> <span class="sender italic">Andrew Fedoniouk</span></li> </ul> </ul> </ul> </div> <div class="overflow msgActions margintopdouble"> <div class="msgReply" > <h2> Reply via email to </h2> <form method="POST" action="/mailto.php"> <input type="hidden" name="subject" value="Re: The <iframe> element and sandboxing ideas"> <input type="hidden" name="msgid" value="48359ED4.6080501@mit.edu"> <input type="hidden" name="relpath" value="public-webapi@w3.org/msg03718.html"> <input type="submit" value=" Boris Zbarsky "> </form> </div> </div> </div> <div class="aside" role="complementary"> <div class="logo"> <a href="/"><img src="/logo.png" width=247 height=88 alt="The Mail Archive"></a> </div> <form class="overflow" action="/search" method="get"> <input type="hidden" name="l" value="public-webapi@w3.org"> <label class="hidden" for="q">Search the site</label> <input class="submittext" type="text" id="q" name="q" placeholder="Search public-webapi"> <input class="submitbutton" name="submit" type="image" src="/submit.png" alt="Submit"> </form> <div class="nav margintop" id="nav" role="navigation"> <ul class="icons font16"> <li class="icons-home"><a href="/">The Mail Archive home</a></li> <li class="icons-list"><a href="/public-webapi@w3.org/">public-webapi - all messages</a></li> <li class="icons-about"><a href="/public-webapi@w3.org/info.html">public-webapi - about the list</a></li> <li class="icons-expand"><a href="/search?l=public-webapi@w3.org&q=subject:%22Re%5C%3A+The+%3Ciframe%3E+element+and+sandboxing+ideas%22&o=newest&f=1" title="e" id="e">Expand</a></li> <li class="icons-prev"><a href="msg03717.html" title="p">Previous message</a></li> <li class="icons-next"><a href="msg03719.html" title="n">Next message</a></li> </ul> </div> <div class="listlogo margintopdouble"> </div> <div class="margintopdouble"> </div> </div> </div> <div class="footer" role="contentinfo"> <ul> <li><a href="/">The Mail Archive home</a></li> <li><a href="/faq.html#newlist">Add your mailing list</a></li> <li><a href="/faq.html">FAQ</a></li> <li><a href="/faq.html#support">Support</a></li> <li><a href="/faq.html#privacy">Privacy</a></li> <li class="darkgray">48359ED4.6080501@mit.edu</li> </ul> </div> </body> </html>