- From: kevodwyer <notifications@github.com>
- Date: Mon, 30 Dec 2019 03:58:11 -0800
- To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 30 December 2019 11:58:13 UTC
Hi, I would similarly also like to indicate support for this feature. We wish to be able to load arbitrary and untrusted html/css/js into a iframe. I want protection from spectre et. al. attacks and also from javascript execution escaping from the confines of the iframe. The limitation that it is not possible to intercept requests inside an iframe if allow-same-origin sandbox is NOT set is a huge deal for us. The scenario is a E2E encrypted web application where html/css/js resources are decrypted locally. I then wish to display them inside a sandboxed iframe. I have created a POC at: https://kevodwyer.github.io/sandbox/ Hopefully that explains the flow and the issue. This behaviour has come up in discussions on various use cases in the following issues: [VS code web view - 1437](https://github.com/w3c/ServiceWorker/issues/1437) [web mail - 765](https://github.com/w3c/ServiceWorker/issues/765) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/ServiceWorker/issues/1390#issuecomment-569658589
Received on Monday, 30 December 2019 11:58:13 UTC