iframe dilemma: a compromise?

[Julian Field]

At 18:06 04/11/2002, you wrote:
>Having lagged behind in 3.x, we recently jumped to 3.25-1.  (Next step is
>4.x, but that was a leeap too far at this point.)

One for Christmas, perhaps? If you start experimenting with V4 now, you may
be in a position to go "live" over Christmas or thereabouts, as you still
have 6 weeks or so to experiment and agree on the configuration. Feel free
to recruit me if you want some help or advice with the implications of the
various settings. I can remember why I wrote most of them :-)

>One of the things that caught us was the new "Allow IFrame Tags" option.
>
>Now I'll immediately confess to knowing absolutely nothing about the dark,
>inner workings of anything vaguely iframe-ish.  And I'll also confess to
>having failed to pay attention to its discussion here during recent weeks.
>
>It seems the choice is currently a stark one: either permit iframe (and
>risk its possible dangers) or forbid iframe (and risk the dangers of
>unhappy users with big sticks).
>
>Might there be the possibility of a compromise?  An option something like
>"convert iframe to text"?  (Or was this discussed and deemed unworkable?)

In version 4, you can allow IFrame tags from any given "trusted" address,
which solves the problem.
I am loathed to spend the time required to implement all the "domains file"
code in version 3, it would be quite a bit of work.

If you keep your Outlook and OE users well up to date with patches, then
you probably won't have much problem as most of the current viruses that
exploit this rely on you not having installed patches that were issued a
year ago.
--
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ