- From: Craig Francis <craig.francis@gmail.com>
- Date: Sun, 20 Mar 2016 21:06:01 +0000
- To: WebAppSec WG <public-webappsec@w3.org>
- Message-Id: <389A9F82-C2E4-48E7-AA5A-D56ABA728070@gmail.com>
Hi,
As part of my never ending quest to banish untrusted third party content into iframes...
Would it be possible to introduce a new token to the `sandbox` attribute, so that it allows the iframed document (cross domain) to read the Text Content of the parent document?
Something like:
<iframe sandbox="allow-parent-text-content-read ..."></iframe>
This would allow Ad networks to put their unsafe/untrusted/messy JavaScript into a sandboxed iframe, and for them to have the very limited permission of being able to read the `.textContent` of the parent DOM - which is something they insist on for "contextual adverts".
We can then block the third party from having full read/write access to the whole page.
This will stop them seeing anything that isn't the text on the page (e.g. CSRF tokens, or values in input fields):
<form action="/profile" id="profile">
<label for="name">Name</label>
<input type="text" id="name" value="Craig" />
<input type="hidden" name="csrf" value="kr3aN1oY" />
</form>
<script>
console.log(document.getElementById('profile').textContent); // Output "Name"
</script>
Craig
https://www.w3.org/TR/2011/WD-html5-20110525/the-iframe-element.html#attr-iframe-sandbox <https://www.w3.org/TR/2011/WD-html5-20110525/the-iframe-element.html#attr-iframe-sandbox>
https://github.com/craigfrancis/security/tree/master/third-party-content <https://github.com/craigfrancis/security/tree/master/third-party-content>
Received on Sunday, 20 March 2016 21:06:32 UTC