W3C home > Mailing lists > Public > public-html@w3.org > January 2010

Re: text/sandboxed-html

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 13 Jan 2010 03:29:16 +0000 (UTC)
To: "Roy T. Fielding" <fielding@gbiv.com>, "sird@rckc.at" <sird@rckc.at>, Maciej Stachowiak <mjs@apple.com>, Boris Zbarsky <bzbarsky@MIT.EDU>, Devdatta <dev.akhawe@gmail.com>
Cc: public-html@w3.org, public-web-security@w3.org
Message-ID: <Pine.LNX.4.62.1001130313260.8484@hixie.dreamhostps.com>
On Tue, 12 Jan 2010, Roy T. Fielding wrote:
> On Jan 12, 2010, at 5:51 PM, Ian Hickson wrote:
> > 
> > In response to implementor feedback regarding the sandbox="" feature 
> > of <iframe> in the WHATWG list [1], and based in part on a 2007 
> > research paper from Microsoft [2], I have introduced a new MIME type 
> > for HTML (text/sandboxed-html) that is identical to text/html in every 
> > way except one critical aspect: resources served with this MIME type 
> > are forced into a unique security origin context.
> 
> I would prefer a media type of "text/html-sandboxed", since that places 
> the two types next to each other in a sorted list and allows easier 
> prefix-matching when desired.

Done.


On Wed, 13 Jan 2010, sird@rckc.at wrote:
>
> this is a great idea! but I think that legacy browsers will prompt a 
> <download file> dialog if they dont support it.

Right, that's the idea.


> why not putting the sandboxed URL inside the sandbox attribute? anyway, 
> it's just a suggestion, the new mime type is a great idea, now sandbox 
> makes sense!

The main reason for this feature is to prevent browsers from ever giving 
this file rights if it is accessed directly (without a sandbox). For 
example, if you host a file you know is hostile, so that you can use it 
like this:

   <iframe src="hostile" sandbox></iframe>

...then you're still letting your users be vulnerable if they just 
navigate straight to the "hostile" file.

However, if the "hostile" file is served as text/html-sandboxed, users 
wouldn't get attacked when they visit it, the file would just be 
downloaded/ignored/etc.


On Wed, 13 Jan 2010, sird@rckc.at wrote:
>
> btw, I have one question
> 
> <iframe sandbox-src="javascript:'in which context does this run?';">

Assuming you just mean:

   <iframe sandbox src="javascript:..."></iframe>

...then it runs in the same context as without the sandbox. What is 
sandboxed is then the return value (which is parsed as HTML, as usual 
for javascript: URLs used for navigating browsing contexts).


On Tue, 12 Jan 2010, Boris Zbarsky wrote:
> 
> My concern was whether sites would choose to use this if it meant that 
> <iframe sandbox> in a browser with no sandbox support would do weird 
> stuff with the content.  I guess doing weird stuff is certainly 
> preferable to it being treated as HTML by said browser.  ;)

Yeah, this is not a feature that is intended to be used exclusively, at 
least not when targetting legacy UAs. It's hard to use any new security 
feature when targetting legacy UAs. :-)


On Tue, 12 Jan 2010, Devdatta wrote:
> >
> > A site wishing to selectively use either <iframe sandbox> or nothing 
> > could feature-detect sandbox support before attempting to load the 
> > text/sandboxed-html resource.
> 
> That seems like an important functionality. How would sites be able to 
> detect support (short of user agent sniffing) ?

   if ('sandbox' in document.createElement('iframe')) {
     // sandboxing supported
   }

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 13 January 2010 03:29:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:16:57 GMT