I'm looking for a list of elements that can load external resources given no additional DOM manipulation via JavaScript is allowed. I am trying to host e-mails from third parties with an HTML viewer and when that happens, I need to remove any resources that load automatically so that only the base HTML is displayed even if that makes the content show up incorrectly.

So far the list is:

<img />
<embed />
<object />
<link />
<script />
<audio />
<video />
<style type="text/css">selector { property: uri('') }</style>

Are there any other elements or patterns I need to take into account to prevent third-party resources from being loaded. And, yes, I am familiar with the sandbox attribute, but we require support for older browsers as well.