[whatwg] iframe sandbox and top navigation from Ian Melven on 2012-11-28 (public-whatwg-archive@w3.org from November 2012)

From: Ian Melven <imelven@mozilla.com>
Date: Wed, 28 Nov 2012 11:48:17 -0800 (PST)
To: whatwg@lists.whatwg.org
Message-ID: <951993145.1391696.1354132097113.JavaMail.root@mozilla.com>

Hi,

while working on https://bugzilla.mozilla.org/show_bug.cgi?id=785310 (block setting
window.top.location from a document sandboxed without 'allow-top-navigation') and discussing
the correct behavior with Bobby Holley, I found some interesting differences
between what Chrome and IE have implemented around top navigation and iframe sandbox.

In my testing with Chrome, if you have a sandboxed document with the same
origin as the top level document and the sandboxed document has 'allow-same-origin allow-scripts',
the sandboxed document can NOT navigate the top level document via setting window.top.location 
ie it's blocked. Bobby pointed out that blocking top navigation when the sandboxed document
is same origin with the top level document is difficult, since the sandboxed document
can do window.top.eval('window.location = "http://foo.com"') - this bypasses the block in Chrome
and the top navigation happens. 

In IE 10, at least in the Windows 8 consumer preview which is the latest
version i have at the moment unfortunately, you can set window.top.location from a document that's same origin
with the top level document which is contained in an <iframe sandbox = 'allow-same-origin allow-scripts'> ie it doesn't
need allow-top-navigation.

It would be great if the spec could clarify the correct behavior around top navigation
when the sandboxed document is/is not same origin with the top level document. 

One option would be for Chrome/Webkit to also block the window.top.eval loophole, but in general
we feel that trying to stop this when the documents are same origin would possibly be problematic. 
Another option would be to not block top navigation when the sandboxed document is same origin
with the top level document (which implies it's been sandboxed with 'allow-same-origin' of course). 

>From discussions with Bobby, I think we prefer the second option. The restriction on navigating
window.top would only be applied in the cross domain case. 

thanks !
ian

Received on Wednesday, 28 November 2012 19:48:55 UTC