W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: iframe sandbox for third-party widgets and ads (was Re: [CSP] Clarifications on nonces)

From: Brian Smith <brian@briansmith.org>
Date: Wed, 11 Feb 2015 14:23:52 -0800
Message-ID: <CAFewVt5_RSbgRf0ugzt6H35psbF1cosiw5PPL8HaGDe1HHWuww@mail.gmail.com>
To: Jim Manico <jim.manico@owasp.org>
Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Jim Manico <jim.manico@owasp.org> wrote:
>> It would be great
> to hear from you and others about why it is unrealistic now.
>
> If you want to get premium-level compensation from some ad providers
> then you need to give them full DOM access.  This "goes away" in a
> world where ads are fully sandboxed or not allowed DOM access.

I can understand that complete lack of DOM access and/or being thrown
in a sandbox may be considered too limiting by some advertisers. But,
there must be some middle group between all or nothing. Do they want
DOM access because they want to be able to animate/reposition their
ad? Do they want to read the contents of the page and use them to
select an ad (GMail style)? Are they stealing cookies? (I doubt it.)
Any more specific details you can provide would be great.

> I am just wondering is the end game to shut this down or perhaps
> provide a more flexible sandbox? I am hoping a flexible sandbox is the
> end game.
>
> If there is a configurable ad-friendly web standard for DOM accessible
> advertising, please point me in the direction.

I don't know what meets the bar of "DOM accessible," but that's
exactly what I'm interested in creating.

Cheers,
Brian
Received on Wednesday, 11 February 2015 22:24:19 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC