W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: iframe sandbox for third-party widgets and ads (was Re: [CSP] Clarifications on nonces)

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Mon, 9 Feb 2015 08:57:19 -0800
Message-ID: <CAPfop_14e=D4GtDfq1fTC-wOVZ9LRN9T0OQLOGedkvYZUVwCFw@mail.gmail.com>
To: Jim Manico <jim.manico@owasp.org>
Cc: Mike West <mkwst@google.com>, Brian Smith <brian@briansmith.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi

Isn't one explicit motivation for sub-origins the limitations of
sandbox bought up here? See intro section in
https://metromoxie.github.io/webappsec/specs/suborigins/. Maybe it
might be enough to support the ad and third party widget use cases too.

cheers
Dev

On 9 February 2015 at 04:27, Jim Manico <jim.manico@owasp.org> wrote:
>> It would be great
> to hear from you and others about why it is unrealistic now.
>
> If you want to get premium-level compensation from some ad providers
> then you need to give them full DOM access.  This "goes away" in a
> world where ads are fully sandboxed or not allowed DOM access.
>
> I am just wondering is the end game to shut this down or perhaps
> provide a more flexible sandbox? I am hoping a flexible sandbox is the
> end game.
>
> If there is a configurable ad-friendly web standard for DOM accessible
> advertising, please point me in the direction.
>
> Aloha,
> --
> Jim Manico
> @Manicode
> (808) 652-3805
>
>> On Feb 9, 2015, at 12:55 PM, Mike West <mkwst@google.com> wrote:
>>
>> It would be great
>> to hear from you and others about why it is unrealistic now.
>
Received on Monday, 9 February 2015 16:58:16 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC