W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

iframe sandbox for third-party widgets and ads (was Re: [CSP] Clarifications on nonces)

From: Brian Smith <brian@briansmith.org>
Date: Mon, 9 Feb 2015 03:41:02 -0800
Message-ID: <CAFewVt4y3T8JU84A0t9jZmPtmDqHr9Vv+hBED=VneS15seC4CA@mail.gmail.com>
To: Jim Manico <jim.manico@owasp.org>
Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Jim Manico <jim.manico@owasp.org> wrote:
>> The general thrust is "Don't run third-party JavaScript in your site's context." and "Don't serve ads that require DOM access"
> Mike, this shuts down the vast majority of the internet advertising
> industry and doesn't seem realistic, especially for media-centric
> endeavors. What is the endgame here, sandboxing or forcing the ad
> industry to fundamentally change?

My suggestions here definitely are solely about applying the principle
of least privilege to ads and other third-party code that is commonly
embedded on pages. It's not about hurting advertisers or  eliminating
their access to any information they need access to. My suggestions
are purely about eliminating the ability of a compromised ad/widget
server to compromise the security of every origin that embeds its

I think it is likely that the current capabilities of iframe sandbox
are insufficient to satisfy the (perceived) needs of such third-party
widgets, but I think that's something that can be fixed. But,
solutions require more input from the people that build and use these
widgets. For example, you say that my suggestion doesn't seem
realistic "especially for media-centric endeavors." It would be great
to hear from you and others about why it is unrealistic now.

Received on Monday, 9 February 2015 11:41:32 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC