2011-06-23 16:23:01: Created issue 'text/html-sandboxed does not always fail closed' nickname html-sandboxed owned by Adrian Bateman on product HTML 5 spec, description 'This issue was raised on behalf of Jacob Rossi.
The current spec includes a text/html-sandboxed MIME type to mitigate a scenario where a sandboxed iframe can be escaped by top level navigation to the content (thereby escaping the origin protections). It's designed with the intention of failing closed in non-supporting UAs. However, there are cases where this design will not work (IE6 as an example). Because sandbox is a defense in-depth feature, we need a solution to this scenario which also appears as defense in-depth--this suggests failing open. Our suggestion was a MIME type attribute such as text/html;sandboxed. It would behave the same as text/html-sandboxed except that non-supporting UAs would render it without restrictions (exactly as the sandbox iframe attribute behaves). Additionally, this has the benefit of allowing content other than text/html to be sandboxed by the server (e.g., image/svg+xml;sandboxed).
See the associated bug for details:
non-public [Adrian Bateman]