On Tue, Nov 24, 2009 at 11:21 PM, Maciej Stachowiak m...@apple.com wrote:
If we tie it to an element or attribute, people may be tempted to just do it
in markup, which would be insecure.
Maybe we should have a DOM API called
webkitJailChildren(no-script-for-you) on Node that prevents future
http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009-June/020191.html
I think we should experiment with the minimal API that seems useful.
If the experiment is a success, we can scale it up.
Apologies if I am rehashing something discussed earlier, but I think it
would be easy to run into
I'd rather not go this route in our initial implementation. I think
we should target the use case of a web site receiving an untrusted
string via cross-origin XMLHttpRequest or postMessage.
Fair enough. OTOH, this solves a very narrow problem. If we have an
implementation that at least
On Nov 25, 2009, at 6:05 AM, Adam Barth wrote:
On Tue, Nov 24, 2009 at 11:21 PM, Maciej Stachowiak m...@apple.com
wrote:
If we tie it to an element or attribute, people may be tempted to
just do it
in markup, which would be insecure.
Maybe we should have a DOM API called
On Nov 25, 2009, at 12:34 PM, Adam Barth wrote:
On Wed, Nov 25, 2009 at 12:30 PM, Maciej Stachowiak m...@apple.com
wrote:
On Nov 25, 2009, at 6:05 AM, Adam Barth wrote:
Maybe we should have a DOM API called
webkitJailChildren(no-script-for-you) on Node that prevents future
children from
On Wed, Nov 25, 2009 at 1:25 PM, Maciej Stachowiak m...@apple.com wrote:
On Nov 25, 2009, at 12:34 PM, Adam Barth wrote:
On Wed, Nov 25, 2009 at 12:30 PM, Maciej Stachowiak m...@apple.com wrote:
On Nov 25, 2009, at 6:05 AM, Adam Barth wrote:
Maybe we should have a DOM API called
The other way to skin this cat, by the way, is to implement the
seamless attribute on iframes. That gives you a similar sort of
design using the @sandbox attribute and solves many of your above
concerns, e.g. by creating a new namespace for @ids. Maybe we should
try that first or in
On Nov 25, 2009, at 1:33 PM, Adam Barth wrote:
On Wed, Nov 25, 2009 at 1:25 PM, Maciej Stachowiak m...@apple.com
wrote:
On Nov 25, 2009, at 12:34 PM, Adam Barth wrote:
On Wed, Nov 25, 2009 at 12:30 PM, Maciej Stachowiak
m...@apple.com wrote:
On Nov 25, 2009, at 6:05 AM, Adam Barth wrote:
On Nov 25, 2009, at 1:45 PM, Michal Zalewski wrote:
The other way to skin this cat, by the way, is to implement the
seamless attribute on iframes. That gives you a similar sort of
design using the @sandbox attribute and solves many of your above
concerns, e.g. by creating a new namespace for
On Wed, Nov 25, 2009 at 1:49 PM, Maciej Stachowiak m...@apple.com wrote:
On Nov 25, 2009, at 1:33 PM, Adam Barth wrote:
I don't have a complete design in mind. I could try to write up a
design document.
Sounds like we could use one given the potential complications.
I've sketched out a
On Nov 24, 2009, at 7:14 PM, Adam Barth wrote:
In the below message to the WHATWG, Ian suggests that vendors
experiment with an API that makes it easier for web developers to
programmatically add static HTML content to their pages without XSSing
themselves:
On Tue, Nov 24, 2009 at 8:39 PM, Maciej Stachowiak m...@apple.com wrote:
On Nov 24, 2009, at 7:14 PM, Adam Barth wrote:
In the below message to the WHATWG, Ian suggests that vendors
experiment with an API that makes it easier for web developers to
programmatically add static HTML content to
On Nov 24, 2009, at 10:37 PM, Adam Barth wrote:
On Tue, Nov 24, 2009 at 8:39 PM, Maciej Stachowiak m...@apple.com
wrote:
On Nov 24, 2009, at 7:14 PM, Adam Barth wrote:
In the below message to the WHATWG, Ian suggests that vendors
experiment with an API that makes it easier for web
13 matches
Mail list logo