- From: Ian Melven <imelven@mozilla.com>
- Date: Wed, 28 Nov 2012 11:48:17 -0800 (PST)
- To: whatwg@lists.whatwg.org
Hi, while working on https://bugzilla.mozilla.org/show_bug.cgi?id=785310 (block setting window.top.location from a document sandboxed without 'allow-top-navigation') and discussing the correct behavior with Bobby Holley, I found some interesting differences between what Chrome and IE have implemented around top navigation and iframe sandbox. In my testing with Chrome, if you have a sandboxed document with the same origin as the top level document and the sandboxed document has 'allow-same-origin allow-scripts', the sandboxed document can NOT navigate the top level document via setting window.top.location ie it's blocked. Bobby pointed out that blocking top navigation when the sandboxed document is same origin with the top level document is difficult, since the sandboxed document can do window.top.eval('window.location = "http://foo.com"') - this bypasses the block in Chrome and the top navigation happens. In IE 10, at least in the Windows 8 consumer preview which is the latest version i have at the moment unfortunately, you can set window.top.location from a document that's same origin with the top level document which is contained in an <iframe sandbox = 'allow-same-origin allow-scripts'> ie it doesn't need allow-top-navigation. It would be great if the spec could clarify the correct behavior around top navigation when the sandboxed document is/is not same origin with the top level document. One option would be for Chrome/Webkit to also block the window.top.eval loophole, but in general we feel that trying to stop this when the documents are same origin would possibly be problematic. Another option would be to not block top navigation when the sandboxed document is same origin with the top level document (which implies it's been sandboxed with 'allow-same-origin' of course). >From discussions with Bobby, I think we prefer the second option. The restriction on navigating window.top would only be applied in the cross domain case. thanks ! ian
Received on Wednesday, 28 November 2012 19:48:55 UTC