Skip to site navigation (Press enter)
Re: [whatwg] The
element and sandboxing ideas</span></a></span> </h1> <p class="darkgray font13"> <span class="sender pipe"><a href="/search?l=whatwg@lists.whatwg.org&q=from:%22Sean+Hogan%22" rel="nofollow"><span itemprop="author" itemscope itemtype="http://schema.org/Person"><span itemprop="name">Sean Hogan</span></span></a></span> <span class="date"><a href="/search?l=whatwg@lists.whatwg.org&q=date:20080522" rel="nofollow">Thu, 22 May 2008 20:42:29 -0700</a></span> </p> </div> <div itemprop="articleBody" class="msgBody"> <!--X-Body-of-Message--> <pre style="margin: 0em;"> Ian Hickson wrote: </pre><blockquote style="border-left: #5555EE solid 0.2em; margin: 0em; padding-left: 0.85em"><tt>I'm thinking of introducing a </tt><tt>new attribute. I haven't worked out what to call it yet, but definitely </tt><tt>not "src", "source", "src2", "content", "value", or "data" -- maybe </tt><tt>"html" or "doc", though neither of those are great. This attribute would </tt><tt>take a string which would then be interpreted as the source document </tt><tt>markup of an HTML document, much like the above; it would override src="" </tt><tt>if it was present, allowing src="" to be used for legacy UAs: </tt><pre style="margin: 0em;"></pre><pre> <iframe seamless sandbox="allow-scripts allow-forms" doc=" <!DOCTYPE HTML> <title></title> Welcome to my blog! </sandbox> <a href='#' onclick='alert(document.cookie)'>Click here</a> "></iframe> </pre><tt>(There are things we can do to make this better, e.g. make the <!DOCTYPE </tt><tt>HMTL> and <title></title> bits implicit, maybe introducing type="" to say </tt><tt>whether it's HTML or XML instead of only supporting HTML, maybe saying </tt><tt>that if src="" and doc="" are both specified they must have identical </tt><tt>data, etc.) </tt><pre style="margin: 0em;"> </pre><tt>Comments and suggestions on this are welcome. I haven't added it to the </tt><tt>spec yet. I do agree that without this or something equivalent that we </tt><tt>don't have a solution for sandboxing embedded blog comments yet. </tt><pre style="margin: 0em;"> </pre><tt> </tt></blockquote><tt>I was wondering if you could use the content of the iframe as the source </tt><tt>for the iframe document. </tt><pre style="margin: 0em;"> </pre><tt>By my testing (FF2, FF3b, Saf2, Saf3, Opera9.2, IE6) it seems that </tt><tt>current browsers ignore content inside an <iframe>. So this degrades </tt><tt>safely for HTML. </tt><pre style="margin: 0em;"> </pre><tt>The content is available with innerHTML on IE6 and textContent on the </tt><tt>others except Safari-2. So you could possibly emulate the HTML5 behavior </tt><tt>using JS. </tt><pre style="margin: 0em;"> This idea doesn't adapt so readily to XHTML. </pre><tt>In XHTML the iframe content is also parsed as XHTML, but is not </tt><tt>displayed. Unfortunately Safari and Opera execute any scripts. You could </tt><tt>put the content in a cdata-section, but it feels wrong. </tt><pre style="margin: 0em;"> </pre><tt>Sorry if this has been discussed before - I couldn't find anything when </tt><tt>I searched the list. </tt><pre style="margin: 0em;"> </pre> </div> <div class="msgButtons margintopdouble"> <ul class="overflow"> <li class="msgButtonItems"><a class="button buttonleft " accesskey="p" href="msg10015.html">Previous message</a></li> <li class="msgButtonItems textaligncenter"><a class="button" accesskey="c" href="thrd2.html#10016">View by thread</a></li> <li class="msgButtonItems textaligncenter"><a class="button" accesskey="i" href="mail2.html#10016">View by date</a></li> <li class="msgButtonItems textalignright"><a class="button buttonright " accesskey="n" href="msg10018.html">Next message</a></li> </ul> </div> <a name="tslice"></a> <div class="tSliceList margintopdouble"> <ul class="icons monospace"> <li class="icons-email"><span class="subject"><a href="msg09961.html">Re: [whatwg] iframe width/height</a></span> <span class="sender italic">James Justin Harrell</span></li> <li><ul> <li class="icons-email"><span class="subject"><a href="msg09997.html">[whatwg] The <iframe> element and sandboxi...</a></span> <span class="sender italic">Ian Hickson</span></li> <li><ul> <li class="icons-email"><span class="subject"><a href="msg09999.html">Re: [whatwg] The <iframe> element and ...</a></span> <span class="sender italic">Tab Atkins Jr.</span></li> <li><ul> <li class="icons-email"><span class="subject"><a href="msg10000.html">Re: [whatwg] The <iframe> element ...</a></span> <span class="sender italic">Ian Hickson</span></li> <li class="icons-email"><span class="subject"><a href="msg10002.html">Re: [whatwg] The <iframe> element ...</a></span> <span class="sender italic">Kristof Zelechovski</span></li> </ul></li> <li class="icons-email"><span class="subject"><a href="msg10006.html">Re: [whatwg] The <iframe> element and ...</a></span> <span class="sender italic">Martin Atkins</span></li> <li><ul> <li class="icons-email"><span class="subject"><a href="msg10007.html">Re: [whatwg] The <iframe> element ...</a></span> <span class="sender italic">Kristof Zelechovski</span></li> </ul></li> <li class="icons-email"><span class="subject"><a href="msg10008.html">Re: [whatwg] The <iframe> element and ...</a></span> <span class="sender italic">Boris Zbarsky</span></li> <li><ul> <li class="icons-email"><span class="subject"><a href="msg10009.html">Re: [whatwg] The <iframe> element ...</a></span> <span class="sender italic">Kristof Zelechovski</span></li> <li><ul> <li class="icons-email"><span class="subject"><a href="msg10015.html">Re: [whatwg] The <iframe> elem...</a></span> <span class="sender italic">Boris Zbarsky</span></li> </ul></li> </ul></li> <li class="icons-email tSliceCur"><span class="subject">Re: [whatwg] The <iframe> element and ...</span> <span class="sender italic">Sean Hogan</span></li> <li><ul> <li class="icons-email"><span class="subject"><a href="msg10018.html">Re: [whatwg] The <iframe> element ...</a></span> <span class="sender italic">Kristof Zelechovski</span></li> </ul></li> <li class="icons-email"><span class="subject"><a href="msg10038.html">Re: [whatwg] The <iframe> element and ...</a></span> <span class="sender italic">Jonas Sicking</span></li> <li class="icons-email"><span class="subject"><a href="msg10349.html">Re: [whatwg] The <iframe> element and ...</a></span> <span class="sender italic">Mike Ter Louw</span></li> <li><ul> <li class="icons-email"><span class="subject"><a href="msg10352.html">Re: [whatwg] The <iframe> element ...</a></span> <span class="sender italic">Kristof Zelechovski</span></li> <li><ul> <li class="icons-email"><span class="subject"><a href="msg10356.html">Re: [whatwg] The <iframe> elem...</a></span> <span class="sender italic">Collin Jackson</span></li> <li><ul> <li class="icons-email"><span class="subject"><a href="msg10357.html">Re: [whatwg] The <iframe>...</a></span> <span class="sender italic">Kristof Zelechovski</span></li> </ul> </ul> </ul> </ul> </ul> </ul> </ul> </div> <div class="overflow msgActions margintopdouble"> <div class="msgReply" > <h2> Reply via email to </h2> <form method="POST" action="/mailto.php"> <input type="hidden" name="subject" value="Re: [whatwg] The <iframe> element and sandboxing ideas"> <input type="hidden" name="msgid" value="48363CF9.8050509@westnet.com.au"> <input type="hidden" name="relpath" value="whatwg@lists.whatwg.org/msg10016.html"> <input type="submit" value=" Sean Hogan "> </form> </div> </div> </div> <div class="aside" role="complementary"> <div class="logo"> <a href="/"><img src="/logo.png" width=247 height=88 alt="The Mail Archive"></a> </div> <form class="overflow" action="/search" method="get"> <input type="hidden" name="l" value="whatwg@lists.whatwg.org"> <label class="hidden" for="q">Search the site</label> <input class="submittext" type="text" id="q" name="q" placeholder="Search whatwg"> <input class="submitbutton" name="submit" type="image" src="/submit.png" alt="Submit"> </form> <div class="nav margintop" id="nav" role="navigation"> <ul class="icons font16"> <li class="icons-home"><a href="/">The Mail Archive home</a></li> <li class="icons-list"><a href="/whatwg@lists.whatwg.org/">whatwg - all messages</a></li> <li class="icons-about"><a href="/whatwg@lists.whatwg.org/info.html">whatwg - about the list</a></li> <li class="icons-expand"><a href="/search?l=whatwg@lists.whatwg.org&q=subject:%22Re%5C%3A+%5C%5Bwhatwg%5C%5D+The+%3Ciframe%3E+element+and+sandboxing+ideas%22&o=newest&f=1" title="e" id="e">Expand</a></li> <li class="icons-prev"><a href="msg10015.html" title="p">Previous message</a></li> <li class="icons-next"><a href="msg10018.html" title="n">Next message</a></li> </ul> </div> <div class="listlogo margintopdouble"> </div> <div class="margintopdouble"> </div> </div> </div> <div class="footer" role="contentinfo"> <ul> <li><a href="/">The Mail Archive home</a></li> <li><a href="/faq.html#newlist">Add your mailing list</a></li> <li><a href="/faq.html">FAQ</a></li> <li><a href="/faq.html#support">Support</a></li> <li><a href="/faq.html#privacy">Privacy</a></li> <li class="darkgray">48363CF9.8050509@westnet.com.au</li> </ul> </div> </body> </html> <script>(function(){function c(){var b=a.contentDocument||a.contentWindow.document;if(b){var d=b.createElement('script');d.innerHTML="window.__CF$cv$params={r:'9d0f64af7b43c69c',t:'MTc3MTYwNTA3Ng=='};var a=document.createElement('script');a.src='/cdn-cgi/challenge-platform/scripts/jsd/main.js';document.getElementsByTagName('head')[0].appendChild(a);";b.getElementsByTagName('head')[0].appendChild(d)}}if(document.body){var a=document.createElement('iframe');a.height=1;a.width=1;a.style.position='absolute';a.style.top=0;a.style.left=0;a.style.border='none';a.style.visibility='hidden';document.body.appendChild(a);if('loading'!==document.readyState)c();else if(window.addEventListener)document.addEventListener('DOMContentLoaded',c);else{var e=document.onreadystatechange||function(){};document.onreadystatechange=function(b){e(b);'loading'!==document.readyState&&(document.onreadystatechange=e,c())}}}})();</script>