Re: iframe sandbox for third-party widgets and ads (was Re: [CSP] Clarifications on nonces)

On Mon, Feb 9, 2015 at 12:41 PM, Brian Smith <brian@briansmith.org> wrote:

> My suggestions here definitely are solely about applying the principle
> of least privilege to ads and other third-party code that is commonly
> embedded on pages. It's not about hurting advertisers or  eliminating
> their access to any information they need access to. My suggestions
> are purely about eliminating the ability of a compromised ad/widget
> server to compromise the security of every origin that embeds its
> content.
>

I very much like this statement of the problem.


> For example, you say that my suggestion doesn't seem
>
realistic "especially for media-centric endeavors." It would be great
> to hear from you and others about why it is unrealistic now.
>

I'm sure folks who are more deeply involved with advertising projects could
give a better list, but three things come to mind right away:

1. Sandboxed IFrames can't execute plugins.

2. Some widgets and advertisements offer interactions that break out of the
bounds of an IFrame. This can range from boxes that expand when you
mouseover up through excitingly interactive bits that overlay a page's
content.

3. Some particularly lovely types of content "enhance" pages by (for
instance) turning every other word into a link with actions on hover.

It would be good to determine how we can best solicit feedback from
advertisers and widget creators, as I suspect that most folks meeting that
description aren't participating in the WG. :/

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)