W3C home > Mailing lists > Public > public-html@w3.org > March 2011

Improving sandbox for popups

From: Jacob Rossi <jrossi@microsoft.com>
Date: Tue, 29 Mar 2011 07:14:45 +0000
To: "public-html@w3.org" <public-html@w3.org>, "public-web-security@w3.org" <public-web-security@w3.org>
CC: Adrian Bateman <adrianba@microsoft.com>
Message-ID: <D0BC8E77E79D9846B61A2432D1BA4EAE027CB995@TK5EX14MBXC116.redmond.corp.microsoft.com>
After reading some of the spec text for the sandbox attribute, I have a few suggestions:

I believe showModalDialog() should also be blocked by the sandboxed navigation browsing context flag [1].  It looks like Chrome already does this and it seems straight forward that it should be treated similarly to window.open().
http://www.w3.org/Bugs/Public/show_bug.cgi?id=12391

Also, I think the behavior for links with target attributes could be better defined for each of its possible values:
http://www.w3.org/Bugs/Public/show_bug.cgi?id=12392

Finally, it'd be nice if there was also an "allow-popups" token for the sandbox attribute. When set, window.open(), showModalDialog(), and links with target="_blank" would be allowed. However, the newly created browsing contexts should inherit the sandbox restrictions of the context from which the popup was created.
http://www.w3.org/Bugs/Public/show_bug.cgi?id=12393


--Jacob Rossi
Received on Tuesday, 29 March 2011 07:15:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:17:26 GMT