On Mon, 23 Jan 2006 09:14:02 +0600, Ian Hickson <[EMAIL PROTECTED]> wrote:
Worry not, they're not being ignored. There are hundreds of good ideas
being suggested to this list; all will be examined and responded to
before the spec is finished. Currently the focus is on the parser
section.
Nice to hear that.
I agree that sandboxing is very important. There are some big problems
with it -- how to get some level of backwards compatibility without
exposing 99% of users to security risks,
That was in my proposal: to introduce the <safe-script> element,
safe-onclick etc attributes, and safe-javascript: URI scheme. These would
be ignored by older UAs, so the scripting is kept on the safe side: if
sandboxing is not supported, then scripts are not executed at all.
how to make it possible to
sandbox arbitrary content (that can't, e.g., do:
document.write("</sandbox>");
AFAIK, document.write is not standardized anywhere at all (am I right?)
But because user agents will continue to implement document.write even if
it's not standardized, it should be somehow defined how document.write
works inside a sandbox. Because "document" is somewhat fake in the
sandbox, I think document.write("</sandbox>") should do the same as doing,
e.g., document.write("</div>") when there was no opening <div>.
But I agree there is much more to discuss to make sure it's a useful and
safe feature.
--
Opera M2 8.5 on Debian Linux 2.6.12-1-k7
* Origin: X-Man's Station [ICQ: 115226275] <[EMAIL PROTECTED]>
