Re: iframe sandbox for third-party widgets and ads (was Re: [CSP] Clarifications on nonces) from Jim Manico on 2015-02-09 (public-webappsec@w3.org from February 2015)

From: Jim Manico <jim.manico@owasp.org>
Date: Mon, 9 Feb 2015 20:04:45 +0100
To: Brad Hill <hillbrad@gmail.com>
Cc: Mike West <mkwst@google.com>, Brian Smith <brian@briansmith.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <1524222875502122320@unknownmsgid>

> From my perspective, the easiest way to accommodate that demand-side
feature pressure is not a bunch of fine-grained feature flags, but
prioritizing a model that can be easily integrated into the *authoring
tools* for advertising creative content

Brad, if you want effective authoring tools for "advertising creative
content" that can access •some• of the DOM, I think fine-grained feature
flags will be needed.

And someone please shoot me for discussing advertiser concerns. I feel
dirty.

Aloha,
--
Jim Manico
@Manicode
(808) 652-3805

On Feb 9, 2015, at 7:49 PM, Brad Hill <hillbrad@gmail.com> wrote:

<hat=individual>

In the end, like so much of security, this is going to boil down to
economics and incentives.  We should take it as a given that we are not
going to solve everybody's problem and create a perfect security utopia for
advertising.

What we can do is create primitives that allow those on the supply-side who
care to offer reasonable security guarantees without having to turn away
too much demand.

>From my perspective, the easiest way to accommodate that demand-side
feature pressure is not a bunch of fine-grained feature flags, but
prioritizing a model that can be easily integrated into the *authoring
tools* for advertising creative content, so that it is clear to agencies
what will work and how they can build stuff that will be supported in a
"secure" ad placement.

-Brad

On Mon Feb 09 2015 at 4:29:49 AM Jim Manico <jim.manico@owasp.org> wrote:

> > It would be great
> to hear from you and others about why it is unrealistic now.
>
> If you want to get premium-level compensation from some ad providers
> then you need to give them full DOM access.  This "goes away" in a
> world where ads are fully sandboxed or not allowed DOM access.
>
> I am just wondering is the end game to shut this down or perhaps
> provide a more flexible sandbox? I am hoping a flexible sandbox is the
> end game.
>
> If there is a configurable ad-friendly web standard for DOM accessible
> advertising, please point me in the direction.
>
> Aloha,
> --
> Jim Manico
> @Manicode
> (808) 652-3805
>
> > On Feb 9, 2015, at 12:55 PM, Mike West <mkwst@google.com> wrote:
> >
> > It would be great
> > to hear from you and others about why it is unrealistic now.
>
>

Received on Monday, 9 February 2015 19:05:18 UTC