iFrame access


As part of my never ending quest to banish untrusted third party content into iframes...

Would it be possible to introduce a new token to the `sandbox` attribute, so that it allows the iframed document (cross domain) to read the Text Content of the parent document?

Something like:

	<iframe sandbox="allow-parent-text-content-read ..."></iframe>

This would allow Ad networks to put their unsafe/untrusted/messy JavaScript into a sandboxed iframe, and for them to have the very limited permission of being able to read the `.textContent` of the parent DOM - which is something they insist on for "contextual adverts".

We can then block the third party from having full read/write access to the whole page.

This will stop them seeing anything that isn't the text on the page (e.g. CSRF tokens, or values in input fields):

	<form action="/profile" id="profile">
		<label for="name">Name</label>
		<input type="text" id="name" value="Craig" />
		<input type="hidden" name="csrf" value="kr3aN1oY" />

		console.log(document.getElementById('profile').textContent); // Output "Name"


https://www.w3.org/TR/2011/WD-html5-20110525/the-iframe-element.html#attr-iframe-sandbox <https://www.w3.org/TR/2011/WD-html5-20110525/the-iframe-element.html#attr-iframe-sandbox>

https://github.com/craigfrancis/security/tree/master/third-party-content <https://github.com/craigfrancis/security/tree/master/third-party-content>

Received on Sunday, 20 March 2016 21:06:32 UTC