Re: iframe sandbox for third-party widgets and ads (was Re: [CSP] Clarifications on nonces) from Brian Smith on 2015-02-11 (public-webappsec@w3.org from February 2015)

From: Brian Smith <brian@briansmith.org>
Date: Wed, 11 Feb 2015 14:21:01 -0800
To: Mike West <mkwst@google.com>
Cc: Jim Manico <jim.manico@owasp.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAFewVt4+kc21qMPNMc+G=OXWpXqXZG8poctyB5VU7bUEtMR3fw@mail.gmail.com>

Mike West <mkwst@google.com> wrote:
> Brian Smith <brian@briansmith.org> wrote:
>>
>> For example, you say that my suggestion doesn't seem
>> realistic "especially for media-centric endeavors." It would be great
>> to hear from you and others about why it is unrealistic now.
>
> I'm sure folks who are more deeply involved with advertising projects could
> give a better list, but three things come to mind right away:
>
> 1. Sandboxed IFrames can't execute plugins.

This is the old issue
https://www.w3.org/Bugs/Public/show_bug.cgi?id=13032. Presumably, the
only plugin people care about in third-party widgets is Adobe Flash.
It would be great if somebody from Google could comment about the
feasibility of enforcing iframe sandbox for the Adobe Flash plugin via
the Pepper Plugin API and/or via iframe isolation. Do you know who
from Google could provide such a response?

Also, there are lots of ads that don't use Flash and the percentage of
non-Flash ads is likely to increase over time to 100%. So, even
without allow-plugins, there's value in making iframe sandbox work for
non-Flash ads/widgets, which will increase over time.

> 2. Some widgets and advertisements offer interactions that break out of the
> bounds of an IFrame. This can range from boxes that expand when you
> mouseover up through excitingly interactive bits that overlay a page's
> content.

These types of ads don't require access to the page content or to the
embedding origin's cookies and whatnot. Adding something like
"allow-overlay" and/or "allow-reposition" would still be a win, even
though it increases the chances of some attacks succeeding like
clickjacking.

> 3. Some particularly lovely types of content "enhance" pages by (for
> instance) turning every other word into a link with actions on hover.

The vast majority of web pages with ads do not have these kinds of
ads. I think it is OK to concentrate on making iframe sandbox work for
other kinds of ads/widgets first.

> It would be good to determine how we can best solicit feedback from
> advertisers and widget creators, as I suspect that most folks meeting that
> description aren't participating in the WG. :/

I agree that more communication is needed here. Detailed feedback from
Google and Facebook would go a long way, and luckily there are very
active WG participants from both of those companies who may be able to
help facilitate the dialog.

Cheers,
Brian

Received on Wednesday, 11 February 2015 22:21:28 UTC