On Wed, Nov 25, 2009 at 1:49 PM, Maciej Stachowiak wrote:
> On Nov 25, 2009, at 1:33 PM, Adam Barth wrote:
>> I don't have a complete design in mind. I could try to write up a
>> design document.
>
> Sounds like we could use one given the potential complications.
I've sketched out a complete des
On Nov 25, 2009, at 1:45 PM, Michal Zalewski wrote:
The other way to skin this cat, by the way, is to implement the
seamless attribute on iframes. That gives you a similar sort of
design using the @sandbox attribute and solves many of your above
concerns, e.g. by creating a new namespace for @
On Nov 25, 2009, at 1:33 PM, Adam Barth wrote:
On Wed, Nov 25, 2009 at 1:25 PM, Maciej Stachowiak
wrote:
On Nov 25, 2009, at 12:34 PM, Adam Barth wrote:
On Wed, Nov 25, 2009 at 12:30 PM, Maciej Stachowiak
wrote:
On Nov 25, 2009, at 6:05 AM, Adam Barth wrote:
Maybe we should have a DOM A
> The other way to skin this cat, by the way, is to implement the
> seamless attribute on iframes. That gives you a similar sort of
> design using the @sandbox attribute and solves many of your above
> concerns, e.g. by creating a new namespace for @ids. Maybe we should
> try that first or in par
On Wed, Nov 25, 2009 at 1:25 PM, Maciej Stachowiak wrote:
> On Nov 25, 2009, at 12:34 PM, Adam Barth wrote:
>> On Wed, Nov 25, 2009 at 12:30 PM, Maciej Stachowiak wrote:
>>> On Nov 25, 2009, at 6:05 AM, Adam Barth wrote:
Maybe we should have a DOM API called
webkitJailChildren("no-scrip
On Nov 25, 2009, at 12:34 PM, Adam Barth wrote:
On Wed, Nov 25, 2009 at 12:30 PM, Maciej Stachowiak
wrote:
On Nov 25, 2009, at 6:05 AM, Adam Barth wrote:
Maybe we should have a DOM API called
webkitJailChildren("no-script-for-you") on Node that prevents future
children from running script.
On Wed, Nov 25, 2009 at 12:30 PM, Maciej Stachowiak wrote:
> On Nov 25, 2009, at 6:05 AM, Adam Barth wrote:
> > Maybe we should have a DOM API called
> > webkitJailChildren("no-script-for-you") on Node that prevents future
> > children from running script. Making it a DOM API prevents authors
> >
On Nov 25, 2009, at 6:05 AM, Adam Barth wrote:
On Tue, Nov 24, 2009 at 11:21 PM, Maciej Stachowiak
wrote:
If we tie it to an element or attribute, people may be tempted to
just do it
in markup, which would be insecure.
Maybe we should have a DOM API called
webkitJailChildren("no-script-f
> I'd rather not go this route in our initial implementation. I think
> we should target the use case of a web site receiving an untrusted
> string via cross-origin XMLHttpRequest or postMessage.
Fair enough. OTOH, this solves a very narrow problem. If we have an
implementation that at least exte
>>> http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009-June/020191.html
> I think we should experiment with the minimal API that seems useful.
> If the experiment is a success, we can scale it up.
Apologies if I am rehashing something discussed earlier, but I think it
would be easy to run in
On Tue, Nov 24, 2009 at 11:21 PM, Maciej Stachowiak wrote:
> If we tie it to an element or attribute, people may be tempted to just do it
> in markup, which would be insecure.
Maybe we should have a DOM API called
webkitJailChildren("no-script-for-you") on Node that prevents future
children from
On Nov 24, 2009, at 10:37 PM, Adam Barth wrote:
On Tue, Nov 24, 2009 at 8:39 PM, Maciej Stachowiak
wrote:
On Nov 24, 2009, at 7:14 PM, Adam Barth wrote:
In the below message to the WHATWG, Ian suggests that vendors
experiment with an API that makes it easier for web developers to
programmat
On Tue, Nov 24, 2009 at 8:39 PM, Maciej Stachowiak wrote:
> On Nov 24, 2009, at 7:14 PM, Adam Barth wrote:
>> In the below message to the WHATWG, Ian suggests that vendors
>> experiment with an API that makes it easier for web developers to
>> programmatically add static HTML content to their page
On Nov 24, 2009, at 7:14 PM, Adam Barth wrote:
In the below message to the WHATWG, Ian suggests that vendors
experiment with an API that makes it easier for web developers to
programmatically add static HTML content to their pages without XSSing
themselves:
http://lists.whatwg.org/htdig.cgi/wh
In the below message to the WHATWG, Ian suggests that vendors
experiment with an API that makes it easier for web developers to
programmatically add static HTML content to their pages without XSSing
themselves:
http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009-June/020191.html
I think we s
15 matches
Mail list logo