W3C home > Mailing lists > Public > public-html@w3.org > March 2011

text/html-sandboxed should just be a sandboxed MIME type attribute

From: Jacob Rossi <jrossi@microsoft.com>
Date: Tue, 29 Mar 2011 06:33:20 +0000
To: "public-web-security@w3.org" <public-web-security@w3.org>, "public-html@w3.org" <public-html@w3.org>
CC: Adrian Bateman <adrianba@microsoft.com>
Message-ID: <D0BC8E77E79D9846B61A2432D1BA4EAE027BB67A@TK5EX14MBXC110.redmond.corp.microsoft.com>
(Including public-web-security for their feedback on this as well.)

The iframe sandbox attribute is a self-described defense in-depth security feature. As such, there's no need to use a full MIME type to protect against non-supporting browsers (http://dev.w3.org/html5/spec/Overview.html#text-html-sandboxed). The spec text under "Security Considerations" makes it sound like text/html-sandboxed is the resolution to the sandbox attribute being defense in-depth, which is untrue. Furthermore, if web sites view this feature as "just send this mime type to be safer," then users of non-supporting browsers will experience file downloads or (in the case where another program/browser has registered to handle the type)the launch of part of the website in another program/browser. That's just a bad user experience IMO.

What about other existing MIME types that might need to be sandboxed (image/svg+xml, application/xhtml+xml, etc.)? Do we really want to add new sandboxed MIME types for each of these? Really, these aren't new types. Rather, they're existing types with the caveat of a flag being set. A better option would be to use a MIME type attribute to indicate the content should be relegated to a unique domain (text/html;sandboxed or application/xhtml+xml;sandboxed). This would allow any existing (or future) type to be sandboxed. Additionally, it avoids the false impression that text/html-sandboxed is a definitive method of restricting the content from accessing the rest of the site.

I've opened a bug to track this:  http://www.w3.org/Bugs/Public/show_bug.cgi?id=12390

-Jacob Rossi
Received on Tuesday, 29 March 2011 06:34:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:17:26 GMT