W3C home > Mailing lists > Public > public-html-wg-issue-tracking@w3.org > June 2011

HTML-ISSUE-166 (html-sandboxed): text/html-sandboxed does not always fail closed [HTML 5 spec]

From: HTML Weekly Issue Tracker <sysbot+tracker@w3.org>
Date: Thu, 23 Jun 2011 16:23:01 +0000
To: public-html-wg-issue-tracking@w3.org
Message-Id: <E1QZmgH-0000k6-FY@lowblow.w3.org>

HTML-ISSUE-166 (html-sandboxed): text/html-sandboxed does not always fail closed [HTML 5 spec]

http://www.w3.org/html/wg/tracker/issues/166

Raised by: Adrian Bateman
On product: HTML 5 spec

This issue was raised on behalf of Jacob Rossi.

The current spec includes a text/html-sandboxed MIME type to mitigate a scenario where a sandboxed iframe can be escaped by top level navigation to the content (thereby escaping the origin protections). It's designed with the intention of failing closed in non-supporting UAs. However, there are cases where this design will not work (IE6 as an example). Because sandbox is a defense in-depth feature, we need a solution to this scenario which also appears as defense in-depth--this suggests failing open. Our suggestion was a MIME type attribute such as text/html;sandboxed. It would behave the same as text/html-sandboxed except that non-supporting UAs would render it without restrictions (exactly as the sandbox iframe attribute behaves). Additionally, this has the benefit of allowing content other than text/html to be sandboxed by the server (e.g., image/svg+xml;sandboxed).

See the associated bug for details:
http://www.w3.org/Bugs/Public/show_bug.cgi?id=12390
Received on Thursday, 23 June 2011 16:23:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 23 June 2011 16:23:03 GMT