I suggest we implement something similar, which can be a big help for webmail providers as it can provide a fallback mechanism incase they fail to filter out all dynamic (malicious) content from emails.
The current approaches to filtering out such content are:
1. filtering out all unsafe tags and styles (difficult)
2. loading the (semi-filtered) content in an iframe from another domain (to trigger the natural cross-domain security protection)
With the iframe security attribute, we can have the browser restrict the content which is much more efficient and error-proof.
In order to remain standards compliant, perhaps such a feature should be triggered with javascript instead of with HTML markup.
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4
IE has an attribute that can be specified on IFRAMEs that can lower the security zone of that iframe only. see: http:// msdn.microsoft. com/workshop/ author/ dhtml/reference /properties/ security. asp
It can be used to restrict javascript and other dynamic behaviors of content in that iframes.
I suggest we implement something similar, which can be a big help for webmail providers as it can provide a fallback mechanism incase they fail to filter out all dynamic (malicious) content from emails.
The current approaches to filtering out such content are:
1. filtering out all unsafe tags and styles (difficult)
2. loading the (semi-filtered) content in an iframe from another domain (to trigger the natural cross-domain security protection)
With the iframe security attribute, we can have the browser restrict the content which is much more efficient and error-proof.
In order to remain standards compliant, perhaps such a feature should be triggered with javascript instead of with HTML markup.
Reproducible: Always