- From: Maciej Stachowiak <mjs@apple.com>
- Date: Sat, 13 Feb 2010 02:03:15 -0800
On Feb 12, 2010, at 11:54 PM, Adam Barth wrote: > On Fri, Feb 12, 2010 at 11:48 PM, Michal Zalewski > <lcamtuf at coredump.cx> wrote: >>> Can a frame in @sandbox ever navigation the top-level frame? If >>> not, >>> that would make it hard to use @sandbox to contain advertisements, >>> which want to navigate |top| when the user clicks on the ad. >> >> Ads would want to be able to do that, but user-controlled gadgets >> shouldn't. I suppose the top-level page should be able to specify, >> and >> the entire @sandbox chain would need to be traversed to make the call >> (so that @sandbox included on example.com that is prohibited from >> messing with the top-level frame can't just create a nested frame >> without the restriction, and bypass the check). >> >> I assume that chain-style checking is already a part of the spec, as >> we obviously don't want other restrictions to be removed in a similar >> manner? > > Yes, the sandbox restrictions collect in subframes. > > Perhaps we want an "allow-frame-busting" directive? In the > implementation we have an "allow-navigation" bit that covers > navigation |top| as well as window.open, etc. Maybe we want a more > general directive that twiddles this bit? Some may want to have a directive that allows only opening new windows and not navigating the top level. This is the policy Caja tries to enforce by default for instance. For ads I could imagine wanting only top-level navigation and not window opening. So maybe this should be two flags. Reards, Maciej
Received on Saturday, 13 February 2010 02:03:15 UTC