This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 13230 - Remove text/html-sandboxed
Summary: Remove text/html-sandboxed
Status: RESOLVED WONTFIX
Alias: None
Product: HTML WG
Classification: Unclassified
Component: LC1 HTML5 spec (show other bugs)
Version: unspecified
Hardware: Other other
: P3 normal
Target Milestone: ---
Assignee: Ian 'Hixie' Hickson
QA Contact: HTML WG Bugzilla archive list
URL: http://www.whatwg.org/specs/web-apps/...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-07-13 06:27 UTC by contributor
Modified: 2011-08-10 01:57 UTC (History)
7 users (show)

See Also:


Attachments

Description contributor 2011-07-13 06:27:06 UTC
Specification: http://www.whatwg.org/specs/web-apps/current-work/multipage/iana.html
Multipage: http://www.whatwg.org/C#text/html-sandboxed
Complete: http://www.whatwg.org/c#text/html-sandboxed

Comment:
In order to support all media types being sandboxed, I suggest that an
application/sandbox type be proposed which supports a type parameter. For
example, sandboxed text/html would be "application/sandbox; type=text/html"

Posted from: 98.235.63.240
User agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.112 Safari/534.30
Comment 1 Eli Grey 2011-07-13 06:40:12 UTC
For additional parameters meant to be proxied to the sandboxed media type, it seems reasonable to proxy all parameters other than "type" to sandbox, but this may break a media type that actually has a "type" parameter, so it may be safer to just use something like a "params" parameter to specify parameters to be proxied to the sandboxed media type. An example could be "application/sandbox; type=example/format; params="foo='bar baz'"
Comment 2 Eli Grey 2011-07-13 06:46:27 UTC
Another format I thought of could be to use params for the allow-* parameters and put the full MIME into the type parameter.

For example, you may use this for HTML:

Content-Type: application/sandbox; type="text/html; foo='bar ...'" params="allow-forms allow-scripts"

I feel that this would be the best format to replace text/html-sandboxed with.
Comment 3 Anne 2011-07-13 12:37:37 UTC
This really is over engineering the solution.
Comment 4 Eli Grey 2011-07-13 19:18:21 UTC
How would you sandbox an image/svg+xml game that a user uploads then? I may be over engineering here but the fact is that text/html-sandboxed is terribly unsuited for this.

To simplify the solution, it might just be best to go with a Sandbox: [options] HTTP header. For example,

Content-Type: image/svg+xml
Sandbox: allow-scripts

...
Comment 5 Eli Grey 2011-07-13 19:48:47 UTC
I have came up with a final solution to this problem: just remove text/html-sandboxed and don't provide any other sandboxing features than that of what is offered for iframes.

Sandboxing on the media type/HTTP level is best suited for Mozilla's CSP proposal, and has no place in HTML5. I have submitted https://bugzilla.mozilla.org/show_bug.cgi?id=671389 for integration of HTML5 sandboxing features into CSP.
Comment 6 Michael[tm] Smith 2011-08-04 05:02:55 UTC
mass-moved component to LC1
Comment 7 Ian 'Hixie' Hickson 2011-08-10 01:57:26 UTC
EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are satisfied with this response, please change the state of this bug to CLOSED. If you have additional information and would like the editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so. For more details, see this document:
   http://dev.w3.org/html5/decision-policy/decision-policy.html

Status: Rejected
Change Description: no spec change
Rationale: We don't have to sandbox all media types. HTML and XML are the only ones that are problematic, and XML doesn't yet have realistic use cases here (and could in the future be easily addressed by a separate sandboxing type for XML — I'll let the XML community worry about that).

The reason for having this type is so that someone can host an HTML file sandboxed in an iframe, yet still be safe from hostile people pointing their users at unsandboxed iframes pointing at that document. There's no reason to have the "allow-*" keywords here, they'll be on the iframe.