- From: Brian Smith <brian@briansmith.org>
- Date: Wed, 11 Feb 2015 14:21:01 -0800
- To: Mike West <mkwst@google.com>
- Cc: Jim Manico <jim.manico@owasp.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Mike West <mkwst@google.com> wrote: > Brian Smith <brian@briansmith.org> wrote: >> >> For example, you say that my suggestion doesn't seem >> realistic "especially for media-centric endeavors." It would be great >> to hear from you and others about why it is unrealistic now. > > I'm sure folks who are more deeply involved with advertising projects could > give a better list, but three things come to mind right away: > > 1. Sandboxed IFrames can't execute plugins. This is the old issue https://www.w3.org/Bugs/Public/show_bug.cgi?id=13032. Presumably, the only plugin people care about in third-party widgets is Adobe Flash. It would be great if somebody from Google could comment about the feasibility of enforcing iframe sandbox for the Adobe Flash plugin via the Pepper Plugin API and/or via iframe isolation. Do you know who from Google could provide such a response? Also, there are lots of ads that don't use Flash and the percentage of non-Flash ads is likely to increase over time to 100%. So, even without allow-plugins, there's value in making iframe sandbox work for non-Flash ads/widgets, which will increase over time. > 2. Some widgets and advertisements offer interactions that break out of the > bounds of an IFrame. This can range from boxes that expand when you > mouseover up through excitingly interactive bits that overlay a page's > content. These types of ads don't require access to the page content or to the embedding origin's cookies and whatnot. Adding something like "allow-overlay" and/or "allow-reposition" would still be a win, even though it increases the chances of some attacks succeeding like clickjacking. > 3. Some particularly lovely types of content "enhance" pages by (for > instance) turning every other word into a link with actions on hover. The vast majority of web pages with ads do not have these kinds of ads. I think it is OK to concentrate on making iframe sandbox work for other kinds of ads/widgets first. > It would be good to determine how we can best solicit feedback from > advertisers and widget creators, as I suspect that most folks meeting that > description aren't participating in the WG. :/ I agree that more communication is needed here. Detailed feedback from Google and Facebook would go a long way, and luckily there are very active WG participants from both of those companies who may be able to help facilitate the dialog. Cheers, Brian
Received on Wednesday, 11 February 2015 22:21:28 UTC