Re: iframe sandbox for third-party widgets and ads (was Re: [CSP] Clarifications on nonces)

Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
> Isn't one explicit motivation for sub-origins the limitations of
> sandbox bought up here? See intro section in
> https://metromoxie.github.io/webappsec/specs/suborigins/. Maybe it
> might be enough to support the ad and third party widget use cases too.

Yes, the suborigin document is what got me thinking about improving
iframe sandbox in the first place. In particular, the suborigin
document says, basically, that because iframe sandbox does not work
for some use cases, something completely different is needed. I'm
trying to understand why we can't just improve iframe sandbox instead,
at least for the embedded content case. I understand that there is
still the issue of being able to have https://www.google.com/maps
isolated from the rest of https://www.google.com/, but I think it may
be useful to approach that issue separately from the embedding issue.

Cheers,
Brian

Received on Wednesday, 11 February 2015 22:31:52 UTC