On Fri, 13 Feb 2009, Adam Barth wrote:
On Fri, Feb 13, 2009 at 3:06 PM, Ian Hickson i...@hixie.ch wrote:
Indeed. If someone can come up with a way of making this work in legacy
UAs, I'd certainly be happy to change the spec to do that.
Here's a suggestion. When requesting the contents of
(Please only cc one mailing list when replying.)
On Wed, 2 Jul 2008, Mike Ter Louw wrote:
There are various things that this doesn't address yet; e.g. there's
no way to force (or even allow) a non-seamless iframe to open links in
the parent window.
There also does not seem to be a
On Tue, 22 Jul 2008, Frode Børli wrote:
I like the proposal of adding a seamless attribute to the iframe
element, though it should perhaps be added using CSS since it applies to
styling?
It doesn't seem CSS-specific; it would apply to any styling mechanism.
I also want the following:
On Mon, 26 May 2008, Ojan Vafai wrote:
What happens if an iframe is loaded with sandbox set and then the
property it is unset? What security origin is it in?
I've clarified the spec to ensure that the flag only takes effect when the
browsing context is navigated and the Document is created.
(Please only cc one mailing list when replying, to reduce cross-posting.)
On Sun, 25 May 2008, Jon Ferraiolo wrote:
Olaf suggested that there might be another attribute to propagate
events. This is definitely highly desirable in some scenarios. Note that
the CDF WG has done some work that
(Please pick one mailing list when replying, so as to reduce
cross-posting.)
On Thu, 22 May 2008, Martin Atkins wrote:
* I've added a sandbox= attribute to iframe, which by default
disables a number of features and takes a space-separated list of
features to re-enable:
Unless
(Please pick one mailing list when replying, so as to reduce
cross-posting.)
On Thu, 22 May 2008, Boris Zbarsky wrote:
Ian Hickson wrote:
- by default, content in sandboxed browsing contexts, and any
browsing contexts nested in them
How do those nested browsing contexts come
On Sat, 24 May 2008, Ojan Vafai wrote:
So, the whole point of these is defining elements that are isolated from
their surrounding context on different axes. Same origin iframes
currently just give you CSS isolation. sandbox affords script isolation.
seamless affords the ability to turn
On Fri, Feb 13, 2009 at 3:06 PM, Ian Hickson i...@hixie.ch wrote:
Indeed. If someone can come up with a way of making this work in legacy
UAs, I'd certainly be happy to change the spec to do that.
Here's a suggestion. When requesting the contents of a sandboxed
iframe, send an HTTP header that
Frode Børli wrote:
Yeah, I thought about that also. Then we have more complex attributes
such as style='font-family: expression#40;a+5#41;;'... So your
sanitizer must also parse CSS properly - including unescaping
entities.
The way HTML Purifier handles this is unescaping all entities (hex,
...
And no wonder it could afford only one employee.
Chris
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Frode Borli
Sent: Saturday, July 26, 2008 9:40 AM
To: Edward Z. Yang
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: [whatwg] The iframe element and sandboxing
PROTECTED] On Behalf Of Frode Borli
Sent: Saturday, July 26, 2008 9:40 AM
To: Edward Z. Yang
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: [whatwg] The iframe element and sandboxing ideas
Frode Borli wrote:
A bank want a HTML-messaging system where the customer can write
HTML-based
Frode Børli wrote:
td colspan='javascript(a + 5)'/td
Where a javascript returns the value in the colspan attribute. Many
server side HTML sanitizers would have to be updated - unless we
introduce a proper sandbox.
Or the HTML sanitizer could have done things properly and checked if
Warning: This is going to be a little bit of an HTML Purifier
evangelising post.
Frode Børli wrote:
Yeah, I thought about that also. Then we have more complex attributes
such as style='font-family: expression#40;a+5#41;;'... So your
sanitizer must also parse CSS properly - including unescaping
On Tue, Jul 22, 2008 at 3:22 PM, Frode Børli [EMAIL PROTECTED] wrote:
The server must escape all user generated content by replacing with
lt; etc. This is perfectly secure for all existing browsers. The
sandbox instructs the browser to unescape. Completely fail safe for
all.
Thanks for the
I am not sure - the sandbox should not allow any scripts at all, that is my
only requirement. More advanced requirements can be taken care of server
side.
The issue I want sandbox for is that it allows us to introduce other ways to
embed scripts in tags in the future. Imagine this becoming legal
The server must escape all user generated content by replacing with
lt; etc. This is perfectly secure for all existing browsers. The
sandbox instructs the browser to unescape. Completely fail safe for
all.
On 7/22/08, James Ide [EMAIL PROTECTED] wrote:
I'm not sure that I follow - it seems to
I like the proposal of adding a seamless attribute to the iframe element,
though it should perhaps be added using CSS since it applies to styling?
I also want the following:
span sandbox=1 /span
This is because a typical Web 2.0 usage is to have a list of comments with a
thumbs up/thumbs down
I'm not sure that I follow - it seems to me that searching for unescaped
text and failing is not a reliable solution. As you mention:
The problem is 1: that the user can easily write /span in his comment and
bypass the sandbox and 2: it is not backward compatible.
Say I input /span and the
).
HTH
Chris
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Collin Jackson
Sent: Thursday, July 03, 2008 7:29 PM
To: Kristof Zelechovski
Cc: [EMAIL PROTECTED]; whatwg; Ian Hickson; Mike Ter Louw; HTMLWG
Subject: Re: [whatwg] The iframe element and sandboxing
; HTMLWG
Subject: Re: [whatwg] The iframe element and sandboxing ideas
Ian Hickson wrote:
This isn't very readable, I'll grant you. I'm thinking of introducing a
new attribute. I haven't worked out what to call it yet, but definitely
not src, source, src2, content, value, or data -- maybe
On Thu, Jul 3, 2008 at 12:59 AM, Kristof Zelechovski
[EMAIL PROTECTED] wrote:
Microsoft HTML engine supports the following syntax:
IFRAME src=about:HTML ./HTML .
I'd like to learn more about this. I wasn't able to reproduce it in
IE. Is it documented somewhere?
Collin Jackson
Ian Hickson wrote:
* I've added a seamless= boolean attribute to iframe, which, if
the content's active document's URI has the same origin as the
container, causes the iframe to size vertically to the bounding box
of the contents, and horizontally to the width of the container,
and
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sean Hogan
Sent: Friday, May 23, 2008 5:42 AM
To: whatwg@lists.whatwg.org
Subject: Re: [whatwg] The iframe element and sandboxing ideas
I was wondering if you could use the content of the iframe as the source
.
Sent: Thursday, May 22, 2008 4:41 AM
To: Ian Hickson; whatwg List
Subject: Re: [whatwg] The iframe element and sandboxing ideas
I'm trying to find the part of the spec where this is stated explicitly, but
aren't attributes limited to ascii text? If this is intended (among other
things
Ian Hickson wrote:
Summary:
* I've added a sandbox= attribute to iframe, which by default
disables a number of features and takes a space-separated list of
features to re-enable:
[snip list]
Unless I'm missing something, this attribute is useless in practice
because legacy browsers
PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Martin Atkins
Sent: Thursday, May 22, 2008 2:21 PM
To: Ian Hickson
Cc: [EMAIL PROTECTED]; whatwg; HTMLWG
Subject: Re: [whatwg] The iframe element and sandboxing ideas
Ian Hickson wrote:
Summary:
* I've added a sandbox= attribute to iframe, which
Ian Hickson wrote:
- by default, content in sandboxed browsing contexts, and any
browsing contexts nested in them
How do those nested browsing contexts come about, given that later you say:
- content in those browsing contexts cannot create new browsing
contexts or
,
Chris
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Boris Zbarsky
Sent: Thursday, May 22, 2008 6:27 PM
To: Ian Hickson
Cc: [EMAIL PROTECTED]; whatwg; HTMLWG
Subject: Re: [whatwg] The iframe element and sandboxing ideas
Ian Hickson wrote:
- by default
Kristof Zelechovski wrote:
1. Nested browsing contexts in a sandboxed frame cannot be created
dynamically but they can be defined by the inner markup.
There was no mention of dynamically in Ian's proposal. My assumption
was that cannot create browsing contexts meant just that. If it
Ian Hickson wrote:
I'm thinking of introducing a
new attribute. I haven't worked out what to call it yet, but definitely
not src, source, src2, content, value, or data -- maybe
html or doc, though neither of those are great. This attribute would
take a string which would then be interpreted
Summary:
* I've added a sandbox= attribute to iframe, which by default
disables a number of features and takes a space-separated list of
features to re-enable:
- by default, content in sandboxed browsing contexts, and any
browsing contexts nested in them, have a unique origin
On Wed, May 21, 2008 at 5:30 PM, Ian Hickson [EMAIL PROTECTED] wrote:
I'm thinking of introducing a
new attribute. I haven't worked out what to call it yet, but definitely
not src, source, src2, content, value, or data -- maybe
html or doc, though neither of those are great. This attribute
On Wed, 21 May 2008, Tab Atkins Jr. wrote:
I'm trying to find the part of the spec where this is stated explicitly,
but aren't attributes limited to ascii text?
Nope, attributes use the same encoding as the rest of the document.
--
Ian Hickson U+1047E
34 matches
Mail list logo