Email or username:

Password:

Forgot your password?
Top-level
Jake Archibald

@simon <iframe sandbox> is useful here. You can even allow JavaScript but have it run in an opaque origin.

6 comments
Simon Willison

@jaffathecake I'm desperately keen on learning the true ins and outs of that, but I've found detailed documentation (including browser support) on all of the options you can stuff in that sandbox attribute frustratingly difficult to locate

Simon Willison

@jaffathecake it's the best I've seen but it still leaves me with so many questions... how good is browser support for each of those allowX things? What do browser security experts advise in terms of using them?

I'm really paranoid :/

Jake Archibald

@simon the browser support for the various allow features is in the table at the end of the page

Frederik Braun �

@simon @jaffathecake if you just want the SVG displayed, put them in an <img> tag. Otherwise, your favorite sanitizer library DOMPurify has great SVG support. (Iframe sandbox works really great too!!)

Go Up