W3C home > Mailing lists > Public > whatwg@whatwg.org > February 2010

[whatwg] @sandbox and navigation top

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Fri, 12 Feb 2010 23:48:51 -0800
Message-ID: <448e9a321002122348w78c892e7u18306e5e19eb0ba4@mail.gmail.com>
> Can a frame in @sandbox ever navigation the top-level frame? ?If not,
> that would make it hard to use @sandbox to contain advertisements,
> which want to navigate |top| when the user clicks on the ad.

Ads would want to be able to do that, but user-controlled gadgets
shouldn't. I suppose the top-level page should be able to specify, and
the entire @sandbox chain would need to be traversed to make the call
(so that @sandbox included on example.com that is prohibited from
messing with the top-level frame can't just create a nested frame
without the restriction, and bypass the check).

I assume that chain-style checking is already a part of the spec, as
we obviously don't want other restrictions to be removed in a similar
manner?

/mz
Received on Friday, 12 February 2010 23:48:51 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:21 UTC