Re: iframe sandbox suggestion from Ian Hickson on 2010-04-01 (public-html-comments@w3.org from April 2010)

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 1 Apr 2010 21:03:50 +0000 (UTC)
To: Artur Adib <arturadib@gmail.com>
Cc: public-html-comments@w3.org
Message-ID: <Pine.LNX.4.64.1004012100270.4055@ps20323.dreamhostps.com>

On Thu, 1 Apr 2010, Artur Adib wrote:
> 
> I am concerned that the suggested implementation of the feature still 
> leaves a security hole, namely allowing a cross-domain iframe'd document 
> to *read* the window.top location. (I understand the current draft 
> forbids *navigation* at the top level, but it seemingly leaves the 
> possibility of *reading* the top level location).

Any cross-origin access to window.top.location's value is blocked:

   http://www.whatwg.org/specs/web-apps/current-work/multipage/history.html#security-location


> A face-value solution is to raise a security exception when a 
> cross-domain, sandboxed iframe tries to read its top-level location. 
> However, this raises some compatibility issues with existing websites 
> that implement the so-called "frame buster" trick (see e.g. twitter.com, 
> nytimes.com), since these sites test whether top.location != 
> self.location to enforce they are not framed.

That wouldn't break because that doesn't compare the URLs, it compares the 
actual objects. Such a test would actually frame-bust even if the two 
objects were the same URL, assuming they were nested in each other.


> I believe a better solution (and one that incidentally puts an end to 
> the ridiculous "frame buster" war, see e.g. 
> http://en.wikipedia.org/wiki/Framekiller) is to return the sandboxed 
> location itself when it attempts to read top.location.  That way, the 
> sandboxed environment behaves as a standalone "mini-browser", without 
> any awareness concerning its surrounding environment.

Frame busting is necessary for security -- without it you are vulnerable 
to clickjacking. There is work ongoing to make frame busting work better 
(and not rely on script), but that wouldn't prevent these from working.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Thursday, 1 April 2010 21:04:18 UTC