W3C home > Mailing lists > Public > whatwg@whatwg.org > February 2010

[whatwg] @sandbox and navigation top

From: Maciej Stachowiak <mjs@apple.com>
Date: Sat, 13 Feb 2010 02:03:15 -0800
Message-ID: <3983412B-FA37-4403-9F92-FE972CACFD9C@apple.com>

On Feb 12, 2010, at 11:54 PM, Adam Barth wrote:

> On Fri, Feb 12, 2010 at 11:48 PM, Michal Zalewski  
> <lcamtuf at coredump.cx> wrote:
>>> Can a frame in @sandbox ever navigation the top-level frame?  If  
>>> not,
>>> that would make it hard to use @sandbox to contain advertisements,
>>> which want to navigate |top| when the user clicks on the ad.
>>
>> Ads would want to be able to do that, but user-controlled gadgets
>> shouldn't. I suppose the top-level page should be able to specify,  
>> and
>> the entire @sandbox chain would need to be traversed to make the call
>> (so that @sandbox included on example.com that is prohibited from
>> messing with the top-level frame can't just create a nested frame
>> without the restriction, and bypass the check).
>>
>> I assume that chain-style checking is already a part of the spec, as
>> we obviously don't want other restrictions to be removed in a similar
>> manner?
>
> Yes, the sandbox restrictions collect in subframes.
>
> Perhaps we want an "allow-frame-busting" directive?  In the
> implementation we have an "allow-navigation" bit that covers
> navigation |top| as well as window.open, etc.  Maybe we want a more
> general directive that twiddles this bit?

Some may want to have a directive that allows only opening new windows  
and not navigating the top level. This is the policy Caja tries to  
enforce by default for instance. For ads I could imagine wanting only  
top-level navigation and not window opening. So maybe this should be  
two flags.

Reards,
Maciej
Received on Saturday, 13 February 2010 02:03:15 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:21 UTC