Re: Comparison between <sandbox> and @sandbox from Tab Atkins Jr. on 2010-01-29 (public-html@w3.org from January 2010)

From: Tab Atkins Jr. <jackalmage@gmail.com>
Date: Thu, 28 Jan 2010 20:29:27 -0600
To: "Helen Wang (MSR)" <helenw@microsoft.com>
Cc: Adam Barth <w3c@adambarth.com>, HTML WG <public-html@w3.org>, Collin Jackson <collin@collinjackson.com>
Message-ID: <dd0fbad1001281829h3218a5e8q4596599817ba31ac@mail.gmail.com>

Could we please have a link to the <sandbox> proposal?  I can't find
anything useful through searching.

On Thu, Jan 28, 2010 at 8:01 PM, Helen Wang (MSR) <helenw@microsoft.com> wrote:
>>  For example, the publisher might be concerned about Flash-based
>> malware and might want to prevent the advertisement from instantiated
>> a Flash movie.
>
> Neither sandbox proposals allow inclusion of plugin content.

Not so far, but @sandbox may introduce some measure of control over
this at a later time, for plugins that can interact with the sandbox
security model.

(I don't know if <sandbox> can or can be extended to do so as well,
since I can't find the proposal details yet.)

> <sandbox> is trying to sandbox existing scripts out there.  A script runs with the context of its includer in legacy browsers when included as <script>, and may run as its origin when included as <iframe> due to MIME sniffing.

I thought that testing had shown that the MIME-sniffing situation was
basically under control?  If not, could I have link to some
demonstrations to the opposite effect?  Again, searching fails me.  As
far as I know, the only issues found so far are with files ending in
.html, correct?

> For low-interaction use cases, why don't a hosting site simply host the content in a throwaway domain, which seems almost as simple as doing @sandbox; what do people think about this?

In many shared-hosting situations, additional domains are not easy to
get.  When an author can get an additional domain, it is still an
additional cost.

> - if @sandbox is for low-interaction applications, why don't providers host untrusted content on throwaway domains?

The @sandbox security model is more fine-grained than what is provided
by simply moving content to a throwaway domain.  The presence or
absence of the allow-same-origin directive is equivalent to hosting a
script on/off domain, but there are other directives that provide
additional controls over the untrusted content.

~TJ

Received on Friday, 29 January 2010 02:30:15 UTC