W3C home > Mailing lists > Public > whatwg@whatwg.org > December 2009

[whatwg] some thoughts on sandboxed IFRAMEs

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Sun, 13 Dec 2009 17:41:28 -0800
Message-ID: <448e9a320912131741x71aacd38gd9e7d119a311aee2@mail.gmail.com>
> <span sandbox>&lt;span&gt;But this span will have another span as its
> child, sandboxed. ?The regular parser sees no entities here, only a
> nested span!&lt;/span&gt;</span>

That's a pretty reasonable variant for lightweight sandboxes, IMO. It
does not have the explicit assurance of a token-based approach (i.e.,
will not fail right away if the user gets it wrong), but it's better
than data: URLs or @doc in that - as you noted - it will fail quickly
if the encapsulated HTML is not escaped, while this may still go
unnoticed until abused:

<iframe sandbox doc="<h1>User input without escaping"></iframe>
<iframe sandbox src="data:text/html,<h1>User input without escaping"></iframe>

As a side note, the other benefit of sandboxed spans and divs in such
a design is that you can then have .innerHTML on sandbox-tagged
elements automagically conform to the sandboxing rules, without the
need for .toStaticHTML, .secureInnerHTML, or similar approaches (which
are error-prone by the virtue of tying sanitization to data access
method, rather than a particular element).

/mz
Received on Sunday, 13 December 2009 17:41:28 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:54 UTC