Re: [whatwg] Cross-origin iframe and @sandbox=allow-same-origin from Janusz Majnert on 2013-02-25 (public-whatwg-archive@w3.org from February 2013)

From: Janusz Majnert <jmajnert@gmail.com>
Date: Mon, 25 Feb 2013 11:13:36 +0100
To: David Bruant <bruant.d@gmail.com>
Cc: whatwg <whatwg@whatwg.org>
Message-ID: <CAOeF0ew9PWtTgE-HHMKax7aYvG19o9SAwuwapXyVYTqQq3jibA@mail.gmail.com>

Hi,
>From what I understand, it goes like this:
Using the sandboxing flag on an iframe causes several fine-grained
flags to be set (point 3 of the algorithm). One of the flags -
"sandboxed origin browsing context flag"[1] forces the document into
unique origin and blocks access to document.cookie and localStorage.
This flag is set unless "allow-same-origin" is used.

So in effect, using "allow-same-origin" on an iframe containing
third-party site will sandbox it but will still allow it to use its
own document.cookie and localStorage, without giving any access to
parent browsing context. The other fine-grained sandboxing flags will
block it. In the example you gave, the "sandboxed navigation browsing
context flag"[2] would kick in and prevent this behaviour.


Regards,
Janusz Majnert


[1] http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#sandboxed-origin-browsing-context-flag
[2] http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#sandboxed-navigation-browsing-context-flag



2013/2/25 David Bruant <bruant.d@gmail.com>:
> Hi,
>
> The current description of the allow-same-origin sandbox token in the spec
> is:
> " The allow-same-origin keyword allows the content to be treated as being
> from the same origin instead of forcing it into a unique origin;"
>
> This is a very scary wording. Understood naively, I understand I could host
> a page in the "davidbruant.github.com" domain with an iframe to anywhere
> (pick your favorite social network/email client website), add
> @sandbox="allow-same-origin" and suddenly, I'd be able to look at the
> content (since the iframe would be treated as being from the same origin).
>
> Obviously, that's not how it works (I say "obviously", because browser
> vendors would have not implemented what I just described. If they had, the
> world might have collapsed quickly).
> From what I've tested both in Firefox and Chrome, when I have an iframe from
> a different domain, I can get the contentDocument, but it looks like
> about:blank from what I can observe in the container. Where is this behavior
> described?
>
>
> Also, in some notes [1], I can read:
> "Second, [allow-same-origin] can be used to embed content from a third-party
> site, sandboxed to prevent that site from opening pop-up windows, etc,
> without preventing the embedded page from communicating back to its
> originating site, using the database APIs to store data, etc."
>
> I fail to understand what is specific about allow-same-origin that allows
> that without adding also allow-scripts or allow-forms.
>
>
> As a more general question: does iframe@sandbox="allow-same-origin" make a
> page and a cross-origin iframe further connected than they are currently
> without the keyword?
>
> Thanks,
>
> David
>
> [1]
> http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#attr-iframe-sandbox-allow-same-origin

Received on Monday, 25 February 2013 10:14:07 UTC