- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 11 Jul 2013 20:23:21 +0000 (UTC)
- To: Ian Melven <imelven@mozilla.com>
- Cc: whatwg@lists.whatwg.org
On Wed, 28 Nov 2012, Ian Melven wrote: > > while working on https://bugzilla.mozilla.org/show_bug.cgi?id=785310 > (block setting window.top.location from a document sandboxed without > 'allow-top-navigation') and discussing the correct behavior with Bobby > Holley, I found some interesting differences between what Chrome and IE > have implemented around top navigation and iframe sandbox. > > In my testing with Chrome, if you have a sandboxed document with the > same origin as the top level document and the sandboxed document has > 'allow-same-origin allow-scripts' Note that that combination is highly insecure. A script in that situation can just turn off the sandboxing and reload itself. It's only useful as a runtime aid to enforce abstractions, like type checking; it's not a security feature once you've got both of those enabled. > It would be great if the spec could clarify the correct behavior around > top navigation when the sandboxed document is/is not same origin with > the top level document. I think it's pretty clear now. Right at the top of the navigation algorithm, you check "allowed to navigate"; the situation you are describing clearly matches case 2, therefore it's not allowed to navigate, since hte "sandboxed top-level navigation browsing context flag" is set -- you can only unset it using sandbox="... allow-top-navigation". > One option would be for Chrome/Webkit to also block the window.top.eval loophole Given that the file is same-origin and has scripts enabled, it's not a loophole. It's a huge gigantic chasm. They could just put in any script they wanted into the parent doc. They could remove their own sandboxing. > but in general we feel that trying to stop this when the documents are > same origin would possibly be problematic. Another option would be to > not block top navigation when the sandboxed document is same origin with > the top level document (which implies it's been sandboxed with > 'allow-same-origin' of course). > > From discussions with Bobby, I think we prefer the second option. The > restriction on navigating window.top would only be applied in the cross > domain case. I don't understand the use case for this. This particular combination isn't one that really makes sense; why would we make exceptions for it? -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 11 July 2013 20:23:45 UTC