-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The safearea HTML tag and attribute #7164
Comments
This is what If we were to reconsider this it would benefit from being iterated over by the WICG community first: https://wicg.io/. Hope that helps. |
Specifically, this exact idea (a random nonce value placed on the opening and matching closing tag of an element) was considered and rejected back during the |
1- srcdoc and sandbox apply to iframes only. question : is there any letter agency ( WICG community) preventing this from happening because they want such security vulnerabilities to continue happening? of course it was rejected because from what i can tell , such solution is secure and it should have been in the HTML spec tight from the beginning. closing this security gap will close so many 3 letter agency gaps. and of course they didn't suggest any alternative and left the door open. also any future similar suggestions will be quickly closed. |
1-those are for iframe only. |
If pursuing this in WICG, it may help to avoid framing the premise as a "safe" area given many folks will have different expectations about the kinds of guarantees suggested by this word. In itself (if I'm understanding right) it doesn't appear to provide a persistent "safe area" but rather would act like a (one-time) parsing directive? Too bad |
The problem: preventing code injection in web pages.
proposed solution: the safearea html attribute and tag. it mark part of the page as 'not supposed to have any code inside'.
here is an example...
the long alfa-numenric code is :
-the browser will accept safearea body code only from the first tag in the page, that to prevent maliciously inserting a second body tag with new safearea code in order to override the main page safearea code. thus safearea does NOT work in iframe.
how to use?
basically once the browser see the safearea attribute with a code matching that in the body tag it turn on "no execution allowed mode" which will turn off interpreting anything as javascript or wasm . once the browser see a matching closing tag with the correct code it turn off "no execution allowed mode".
a closing tag with no code or with incorrect code will NOT turn off the safearea.
you can mark a whole area of the page as safearea by using the tag:
the safearea tag has no visual representation in the page what so ever,it is merely there in order to provide a signal to the browser. i.e. it is not even an inline or block element.
you want to hydrate the page via ajax? no problem:
i am lazy and "safearea" seem to be long, but for now i am more interested in the idea.
The text was updated successfully, but these errors were encountered: