This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 8818 - Remove the srcdoc attribute
Summary: Remove the srcdoc attribute
Status: RESOLVED WONTFIX
Alias: None
Product: HTML WG
Classification: Unclassified
Component: pre-LC1 HTML5 spec (editor: Ian Hickson) (show other bugs)
Version: unspecified
Hardware: PC Windows XP
: P2 normal
Target Milestone: ---
Assignee: Ian 'Hixie' Hickson
QA Contact: HTML WG Bugzilla archive list
URL:
Whiteboard:
Keywords: NE, TrackerIssue
Depends on:
Blocks:
 
Reported: 2010-01-26 15:47 UTC by Shelley Powers
Modified: 2010-10-04 14:29 UTC (History)
7 users (show)

See Also:


Attachments

Description Shelley Powers 2010-01-26 15:47:23 UTC
This recent entry does not have universal acceptance, and the group was still discussing it when the editor added it to the specification. 

The supposed use case for this attribute is weblog comments, but concerns about HTML security have been resolved with weblog and other application comments years ago. In addition, support for this attribute could give the impression that online sites don't need any other security, which is false. Script injection is only one aspect of security related to weblog comments, and considered a fairly trivial one at that.

This needs to be removed from the specification.
Comment 1 Ian 'Hixie' Hickson 2010-02-14 02:59:23 UTC
EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are satisfied with this response, please change the state of this bug to CLOSED. If you have additional information and would like the editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so. For more details, see this document:
   http://dev.w3.org/html5/decision-policy/decision-policy.html

Status: Rejected
Change Description: no spec change
Rationale: I'm happy to remove this attribute from the W3C HTML5 specification if that's what the working group wants. The last time I removed a feature based on a bug report such as this, I started a minor war, however, so I suggest that you raise this via the change proposal process if you really feel this way.
Comment 2 Shelley Powers 2010-02-14 04:38:53 UTC
Since you were the one putting srcdoc into the HTML5 specification, and the change wasn't based on any use case or requirement put forward by any other individual, I'm assuming you had a good reason for doing so. Evidently not, since you're not incorporating the reason into the WONTFIX rationale. 

Comment 3 Shelley Powers 2010-02-14 04:42:09 UTC
Opened as Tracker Issue 100:

http://www.w3.org/html/wg/tracker/issues/100
Comment 4 Jirka Kosek 2010-02-18 08:46:49 UTC
There is additional unrelated issue with srcdoc which was not mentioned previously in this bug. Content of srcdoc contains unescaped markup. This is not compatible with XML serialization of HTML5. So if there ever should be something like srcdoc, then it should be subelement of iframe not attribute.
Comment 5 Ian 'Hixie' Hickson 2010-02-25 02:32:38 UTC
Please file a new bug for new issues. (I don't think that comment 4 makes sense, though; XML supports escaping content in attributes just like in element contents.)