[Bug 13348] I was wondering if it would be possible to extend the iframe sandbox attribute to provide additional functionality. We've been developing a HTML5 digital signage solution where the playback application is a HTML5 web page. When the solution is displaying from bugzilla@jessica.w3.org on 2011-07-25 (public-html-bugzilla@w3.org from July 2011)

From: <bugzilla@jessica.w3.org>
Date: Mon, 25 Jul 2011 20:45:54 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1QlS2E-0002rt-TS@jessica.w3.org>

http://www.w3.org/Bugs/Public/show_bug.cgi?id=13348

Aryeh Gregor <Simetrical+w3cbug@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bzbarsky@mit.edu,
                   |                            |Simetrical+w3cbug@gmail.com
                   |                            |, w3c@adambarth.com
            Summary|I was wondering if it would |I was wondering if it would
                   |be possible to extend the   |be possible to extend the
                   |iframe sandbox attribute to |iframe sandbox attribute to
                   |provide additional          |provide additional
                   |functionality. We've been   |functionality. We've been
                   |developing a HTML5 digital  |developing a HTML5 digital
                   |signage solution where the  |signage solution where the
                   |playback application is a   |playback application is a
                   |HTML5 web page. When the    |HTML5 web page. When the
                   |solution is displaying      |solution is displaying

--- Comment #1 from Aryeh Gregor <Simetrical+w3cbug@gmail.com> 2011-07-25 20:45:53 UTC ---
I think this would have a hard time meeting security review.  Clickjacking
would still be possible here as long as the site can add or remove the iframe. 
Suppose it lures the user into clicking in some consistent pattern, like in a
game that involves trying to click in particular places at particular times. 
Then when you can predict the user is about to click, briefly replace the game
with the iframe, quickly enough so they don't notice in time to stop clicking.

Opening a new window doesn't have this issue because once you open it, you
can't control its position or whether it's focused.  If the user clicks on your
page, you can't reliably transfer the click to the new window no matter what. 
Nothing that's inside the page content will be secure.  Yes, this is a
disadvantage of web apps compared to desktop apps, but such disadvantages are
necessary, since web apps run without the user's knowledge or consent.

CC'ing some implementers to get confirmation on whether this is an unacceptable
security problem given the benefit.

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

Received on Monday, 25 July 2011 20:45:56 UTC