- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 13 Jan 2010 03:29:16 +0000 (UTC)
- To: "Roy T. Fielding" <fielding@gbiv.com>, "sird@rckc.at" <sird@rckc.at>, Maciej Stachowiak <mjs@apple.com>, Boris Zbarsky <bzbarsky@MIT.EDU>, Devdatta <dev.akhawe@gmail.com>
- Cc: public-html@w3.org, public-web-security@w3.org
On Tue, 12 Jan 2010, Roy T. Fielding wrote: > On Jan 12, 2010, at 5:51 PM, Ian Hickson wrote: > > > > In response to implementor feedback regarding the sandbox="" feature > > of <iframe> in the WHATWG list [1], and based in part on a 2007 > > research paper from Microsoft [2], I have introduced a new MIME type > > for HTML (text/sandboxed-html) that is identical to text/html in every > > way except one critical aspect: resources served with this MIME type > > are forced into a unique security origin context. > > I would prefer a media type of "text/html-sandboxed", since that places > the two types next to each other in a sorted list and allows easier > prefix-matching when desired. Done. On Wed, 13 Jan 2010, sird@rckc.at wrote: > > this is a great idea! but I think that legacy browsers will prompt a > <download file> dialog if they dont support it. Right, that's the idea. > why not putting the sandboxed URL inside the sandbox attribute? anyway, > it's just a suggestion, the new mime type is a great idea, now sandbox > makes sense! The main reason for this feature is to prevent browsers from ever giving this file rights if it is accessed directly (without a sandbox). For example, if you host a file you know is hostile, so that you can use it like this: <iframe src="hostile" sandbox></iframe> ...then you're still letting your users be vulnerable if they just navigate straight to the "hostile" file. However, if the "hostile" file is served as text/html-sandboxed, users wouldn't get attacked when they visit it, the file would just be downloaded/ignored/etc. On Wed, 13 Jan 2010, sird@rckc.at wrote: > > btw, I have one question > > <iframe sandbox-src="javascript:'in which context does this run?';"> Assuming you just mean: <iframe sandbox src="javascript:..."></iframe> ...then it runs in the same context as without the sandbox. What is sandboxed is then the return value (which is parsed as HTML, as usual for javascript: URLs used for navigating browsing contexts). On Tue, 12 Jan 2010, Boris Zbarsky wrote: > > My concern was whether sites would choose to use this if it meant that > <iframe sandbox> in a browser with no sandbox support would do weird > stuff with the content. I guess doing weird stuff is certainly > preferable to it being treated as HTML by said browser. ;) Yeah, this is not a feature that is intended to be used exclusively, at least not when targetting legacy UAs. It's hard to use any new security feature when targetting legacy UAs. :-) On Tue, 12 Jan 2010, Devdatta wrote: > > > > A site wishing to selectively use either <iframe sandbox> or nothing > > could feature-detect sandbox support before attempting to load the > > text/sandboxed-html resource. > > That seems like an important functionality. How would sites be able to > detect support (short of user agent sniffing) ? if ('sandbox' in document.createElement('iframe')) { // sandboxing supported } -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 13 January 2010 03:29:48 UTC