This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 9002 - @sandbox should not allow content with text/html MIME type to force authors to change type to secure one.
Summary: @sandbox should not allow content with text/html MIME type to force authors t...
Status: RESOLVED WONTFIX
Alias: None
Product: HTML WG
Classification: Unclassified
Component: pre-LC1 HTML5 spec (editor: Ian Hickson) (show other bugs)
Version: unspecified
Hardware: Other other
: P3 normal
Target Milestone: LC
Assignee: Ian 'Hixie' Hickson
QA Contact: HTML WG Bugzilla archive list
URL: http://www.whatwg.org/specs/web-apps/...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-02-15 12:24 UTC by contributor
Modified: 2010-10-04 14:45 UTC (History)
6 users (show)

See Also:


Attachments

Description contributor 2010-02-15 12:24:50 UTC
Section: http://www.whatwg.org/specs/web-apps/current-work/#the-iframe-element

Comment:
@sandbox should not allow content with text/html MIME type to force authors to
change type to secure one.

Posted from: 82.70.200.181
Comment 1 Anne 2010-02-15 12:38:24 UTC
I assume this is meant to be a same-origin restriction? What happens if the restriction is not followed?
Comment 2 Adam Barth 2010-02-15 15:42:02 UTC
I don't think we should force use of the text/html-sandboxed media type because there are many use case that want to fail open in legacy browsers.  For example, the ad and image search use cases I sent to the list.
Comment 3 Ian 'Hixie' Hickson 2010-02-18 08:07:45 UTC
EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are satisfied with this response, please change the state of this bug to CLOSED. If you have additional information and would like the editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so. For more details, see this document:
   http://dev.w3.org/html5/decision-policy/decision-policy.html

Status: Rejected
Change Description: no spec change
Rationale: As Adam said, there are several use cases (like ads) for which failing open is perfectly acceptable. sandbox="" is only really supposed to be defense in depth, anyway, at least for the foreseeable future.