Re: Proposal: Two changes to iframe@sandbox

I'm not in whatwg, but I do want to say that this seems like a pleasant
change from a user perspective.  I'm glad to hear your ad teams are
thinking about this!


On Sun, May 10, 2015 at 9:11 PM, Mike West <> wrote:

> (BCC:
> Hello, wonderful whatwg@ folks!
> I've talked with a few folks from Google's advertising teams who are
> interested in using sandboxed iframes to mitigate the risks associated with
> ads. They've flagged two things that they'd like to see happen in the
> future:
> 1. Block usage of `alert()` (and its friends `confirm()`, `prompt()`, and
> `print()` (and `showModalDialog()` for browsers that support it)).
> 2. Allow sandboxed frames to spawn new windows without forcing the sandbox
> upon them. This would allow the advertisement itself to be sandboxed,
> without forcing the same restrictive flags upon a landing page.
> # Proposal
> 1. Block modal dialogs from inside sandboxed frames. That is:
> * `alert(...)` would return without popping up a dialog.
> * `confirm(...)` would return `false` without popping up a dialog.
> * `prompt(...)` would return `null` without popping up a dialog.
> * `print(...)` would return without popping up a dialog.
> This was discussed briefly at
> but I didn't find any follow-up (CCing folks from that thread). I've added
> metrics to Chrome in, but it
> will take a few weeks to get good data. Given the low usage of sandboxes in
> general (~0.5% of page views, according to
>, I
> suspect we could fairly easily make this change.
> 2. Add a `allow-unsandboxed-auxiliary` keyword to those supported by the
> `sandbox` attribute, which, when present, would allow auxiliary browsing
> contexts created by `` and `target="_blank"` links to create
> clean browsing contexts, unaffected by the sandbox which spawned them.
> --
> Mike West <>, @mikewest
> Google Germany GmbH, Dienerstrasse 12, 80331 München,
> Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
> Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
> Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Wednesday, 13 May 2015 21:08:16 UTC