Re: [whatwg] iframe sandbox and top navigation from Ian Hickson on 2013-07-11 (public-whatwg-archive@w3.org from July 2013)

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 11 Jul 2013 20:23:21 +0000 (UTC)
To: Ian Melven <imelven@mozilla.com>
Cc: whatwg@lists.whatwg.org
Message-ID: <alpine.DEB.2.00.1307112014120.15729@ps20323.dreamhostps.com>

On Wed, 28 Nov 2012, Ian Melven wrote:
> 
> while working on https://bugzilla.mozilla.org/show_bug.cgi?id=785310 
> (block setting window.top.location from a document sandboxed without 
> 'allow-top-navigation') and discussing the correct behavior with Bobby 
> Holley, I found some interesting differences between what Chrome and IE 
> have implemented around top navigation and iframe sandbox.
> 
> In my testing with Chrome, if you have a sandboxed document with the 
> same origin as the top level document and the sandboxed document has 
> 'allow-same-origin allow-scripts'

Note that that combination is highly insecure. A script in that situation 
can just turn off the sandboxing and reload itself. It's only useful as a 
runtime aid to enforce abstractions, like type checking; it's not a 
security feature once you've got both of those enabled.

> It would be great if the spec could clarify the correct behavior around 
> top navigation when the sandboxed document is/is not same origin with 
> the top level document.

I think it's pretty clear now. Right at the top of the navigation 
algorithm, you check "allowed to navigate"; the situation you are 
describing clearly matches case 2, therefore it's not allowed to navigate, 
since hte "sandboxed top-level navigation browsing context flag" is set -- 
you can only unset it using sandbox="... allow-top-navigation".

> One option would be for Chrome/Webkit to also block the window.top.eval loophole

Given that the file is same-origin and has scripts enabled, it's not a 
loophole. It's a huge gigantic chasm. They could just put in any script 
they wanted into the parent doc. They could remove their own sandboxing.

> but in general we feel that trying to stop this when the documents are 
> same origin would possibly be problematic. Another option would be to 
> not block top navigation when the sandboxed document is same origin with 
> the top level document (which implies it's been sandboxed with 
> 'allow-same-origin' of course).
> 
> From discussions with Bobby, I think we prefer the second option. The 
> restriction on navigating window.top would only be applied in the cross 
> domain case.

I don't understand the use case for this. This particular combination 
isn't one that really makes sense; why would we make exceptions for it?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Thursday, 11 July 2013 20:23:45 UTC