W3C home > Mailing lists > Public > whatwg@whatwg.org > February 2010

[whatwg] @sandbox and navigation top

From: Adam Barth <whatwg@adambarth.com>
Date: Sat, 13 Feb 2010 00:36:20 -0800
Message-ID: <7789133a1002130036qf2480d9q2f9e0084aaa131c@mail.gmail.com>
On Sat, Feb 13, 2010 at 12:08 AM, Michal Zalewski <lcamtuf at coredump.cx> wrote:
>> Perhaps we want an "allow-frame-busting" directive? ?In the
>> implementation we have an "allow-navigation" bit that covers
>> navigation |top| as well as window.open, etc. ?Maybe we want a more
>> general directive that twiddles this bit?
>
> I'm wondering if sites want to have control over the type of
> navigation: navigating the top-level context versus opening a new
> window? In particular, I am thinking about ads in embeddable gadgets
> (on social sites, or in places such as Docs, Wave, etc): you do not
> want the gadget to interfere with the presentation of the page by
> triggering disruptive and unsolicited top frame transitions (as this
> could be used for a crude DoS - in fact, IIRC, there is some history
> along these lines), but you may bey OK with a pop-up ad following a
> click.

Yeah, I think there are use cases for both top-level navigation and
window.open from sandboxed context.  I suspect there's some trade off
between complexity and fine-grained control.

Adam
Received on Saturday, 13 February 2010 00:36:20 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:21 UTC