8818 2010-01-26 15:47:23 +0000 Remove the srcdoc attribute 2010-10-04 14:29:32 +0000 1 1 1 Unclassified HTML WG pre-LC1 HTML5 spec (editor: Ian Hickson) unspecified PC Windows XP RESOLVED WONTFIX NE, TrackerIssue P2 normal --- 1 shelleyp ian ian jirka julian.reschke mike public-html-admin public-html-wg-issue-tracking shelleyp public-html-bugzilla oldest_to_newest 31239 0 shelleyp 2010-01-26 15:47:23 +0000 This recent entry does not have universal acceptance, and the group was still discussing it when the editor added it to the specification. The supposed use case for this attribute is weblog comments, but concerns about HTML security have been resolved with weblog and other application comments years ago. In addition, support for this attribute could give the impression that online sites don't need any other security, which is false. Script injection is only one aspect of security related to weblog comments, and considered a fairly trivial one at that. This needs to be removed from the specification. 31932 1 ian 2010-02-14 02:59:23 +0000 EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are satisfied with this response, please change the state of this bug to CLOSED. If you have additional information and would like the editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so. For more details, see this document: http://dev.w3.org/html5/decision-policy/decision-policy.html Status: Rejected Change Description: no spec change Rationale: I'm happy to remove this attribute from the W3C HTML5 specification if that's what the working group wants. The last time I removed a feature based on a bug report such as this, I started a minor war, however, so I suggest that you raise this via the change proposal process if you really feel this way. 31950 2 shelleyp 2010-02-14 04:38:53 +0000 Since you were the one putting srcdoc into the HTML5 specification, and the change wasn't based on any use case or requirement put forward by any other individual, I'm assuming you had a good reason for doing so. Evidently not, since you're not incorporating the reason into the WONTFIX rationale. 31953 3 shelleyp 2010-02-14 04:42:09 +0000 Opened as Tracker Issue 100: http://www.w3.org/html/wg/tracker/issues/100 32372 4 jirka 2010-02-18 08:46:49 +0000 There is additional unrelated issue with srcdoc which was not mentioned previously in this bug. Content of srcdoc contains unescaped markup. This is not compatible with XML serialization of HTML5. So if there ever should be something like srcdoc, then it should be subelement of iframe not attribute. 32636 5 ian 2010-02-25 02:32:38 +0000 Please file a new bug for new issues. (I don't think that comment 4 makes sense, though; XML supports escaping content in attributes just like in element contents.)