W3C home > Mailing lists > Public > public-html-comments@w3.org > April 2010

Re: iframe sandbox suggestion

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 1 Apr 2010 21:03:50 +0000 (UTC)
To: Artur Adib <arturadib@gmail.com>
Cc: public-html-comments@w3.org
Message-ID: <Pine.LNX.4.64.1004012100270.4055@ps20323.dreamhostps.com>
On Thu, 1 Apr 2010, Artur Adib wrote:
> I am concerned that the suggested implementation of the feature still 
> leaves a security hole, namely allowing a cross-domain iframe'd document 
> to *read* the window.top location. (I understand the current draft 
> forbids *navigation* at the top level, but it seemingly leaves the 
> possibility of *reading* the top level location).

Any cross-origin access to window.top.location's value is blocked:


> A face-value solution is to raise a security exception when a 
> cross-domain, sandboxed iframe tries to read its top-level location. 
> However, this raises some compatibility issues with existing websites 
> that implement the so-called "frame buster" trick (see e.g. twitter.com, 
> nytimes.com), since these sites test whether top.location != 
> self.location to enforce they are not framed.

That wouldn't break because that doesn't compare the URLs, it compares the 
actual objects. Such a test would actually frame-bust even if the two 
objects were the same URL, assuming they were nested in each other.

> I believe a better solution (and one that incidentally puts an end to 
> the ridiculous "frame buster" war, see e.g. 
> http://en.wikipedia.org/wiki/Framekiller) is to return the sandboxed 
> location itself when it attempts to read top.location.  That way, the 
> sandboxed environment behaves as a standalone "mini-browser", without 
> any awareness concerning its surrounding environment.

Frame busting is necessary for security -- without it you are vulnerable 
to clickjacking. There is work ongoing to make frame busting work better 
(and not rely on script), but that wouldn't prevent these from working.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 1 April 2010 21:04:18 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:26 UTC