- From: Janusz Majnert <jmajnert@gmail.com>
- Date: Mon, 25 Feb 2013 11:13:36 +0100
- To: David Bruant <bruant.d@gmail.com>
- Cc: whatwg <whatwg@whatwg.org>
Hi, >From what I understand, it goes like this: Using the sandboxing flag on an iframe causes several fine-grained flags to be set (point 3 of the algorithm). One of the flags - "sandboxed origin browsing context flag"[1] forces the document into unique origin and blocks access to document.cookie and localStorage. This flag is set unless "allow-same-origin" is used. So in effect, using "allow-same-origin" on an iframe containing third-party site will sandbox it but will still allow it to use its own document.cookie and localStorage, without giving any access to parent browsing context. The other fine-grained sandboxing flags will block it. In the example you gave, the "sandboxed navigation browsing context flag"[2] would kick in and prevent this behaviour. Regards, Janusz Majnert [1] http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#sandboxed-origin-browsing-context-flag [2] http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#sandboxed-navigation-browsing-context-flag 2013/2/25 David Bruant <bruant.d@gmail.com>: > Hi, > > The current description of the allow-same-origin sandbox token in the spec > is: > " The allow-same-origin keyword allows the content to be treated as being > from the same origin instead of forcing it into a unique origin;" > > This is a very scary wording. Understood naively, I understand I could host > a page in the "davidbruant.github.com" domain with an iframe to anywhere > (pick your favorite social network/email client website), add > @sandbox="allow-same-origin" and suddenly, I'd be able to look at the > content (since the iframe would be treated as being from the same origin). > > Obviously, that's not how it works (I say "obviously", because browser > vendors would have not implemented what I just described. If they had, the > world might have collapsed quickly). > From what I've tested both in Firefox and Chrome, when I have an iframe from > a different domain, I can get the contentDocument, but it looks like > about:blank from what I can observe in the container. Where is this behavior > described? > > > Also, in some notes [1], I can read: > "Second, [allow-same-origin] can be used to embed content from a third-party > site, sandboxed to prevent that site from opening pop-up windows, etc, > without preventing the embedded page from communicating back to its > originating site, using the database APIs to store data, etc." > > I fail to understand what is specific about allow-same-origin that allows > that without adding also allow-scripts or allow-forms. > > > As a more general question: does iframe@sandbox="allow-same-origin" make a > page and a cross-origin iframe further connected than they are currently > without the keyword? > > Thanks, > > David > > [1] > http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#attr-iframe-sandbox-allow-same-origin
Received on Monday, 25 February 2013 10:14:07 UTC