W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: iframe sandbox for third-party widgets and ads (was Re: [CSP] Clarifications on nonces)

From: Brian Smith <brian@briansmith.org>
Date: Wed, 11 Feb 2015 14:31:25 -0800
Message-ID: <CAFewVt6yPJKcRt6Y-+SsipvwN1rage=+VnOsD2uNaLNp3HYExg@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Jim Manico <jim.manico@owasp.org>, Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
> Isn't one explicit motivation for sub-origins the limitations of
> sandbox bought up here? See intro section in
> https://metromoxie.github.io/webappsec/specs/suborigins/. Maybe it
> might be enough to support the ad and third party widget use cases too.

Yes, the suborigin document is what got me thinking about improving
iframe sandbox in the first place. In particular, the suborigin
document says, basically, that because iframe sandbox does not work
for some use cases, something completely different is needed. I'm
trying to understand why we can't just improve iframe sandbox instead,
at least for the embedded content case. I understand that there is
still the issue of being able to have https://www.google.com/maps
isolated from the rest of https://www.google.com/, but I think it may
be useful to approach that issue separately from the embedding issue.

Cheers,
Brian
Received on Wednesday, 11 February 2015 22:31:52 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC