Re: [whatwg] iframe sandbox and allow-scripts from Ian Hickson on 2013-07-23 (public-whatwg-archive@w3.org from July 2013)

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 23 Jul 2013 20:32:44 +0000 (UTC)
To: Ian Melven <imelven@mozilla.com>, Adam Barth <w3c@adambarth.com>
Cc: whatwg <whatwg@lists.whatwg.org>
Message-ID: <alpine.DEB.2.00.1307232031420.9685@ps20323.dreamhostps.com>

On Fri, 12 Apr 2013, Ian Melven wrote:
> 
> Freddy Braun recently noticed that he could do the following in Firefox 
> :
> 
> <iframe id='foo' sandbox='allow-same-origin' src='inner.html'>
> 
> (note no allow-scripts)
> 
> and then in the document containing the iframe:
> 
> var iframe = document.getElementById('foo'); 
> iframe.contentWindow.eval("alert(document.location)");
> 
> and the alert will fire, which he found surprising.
> 
> I tested this in Chrome and IE 10 and found the behavior consistent 
> across all three browsers.
> 
> The relevant portion of the spec seems to be (from 
> http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#enabling-and-disabling-scripting) 
> :
> 
> * Scripting is enabled in a browsing context if ... The browsing 
> context's active document's active sandboxing flag set does not have its 
> sandboxed scripts browsing context flag set.
> 
> is the intent in Freddy's case to apply this rule using the browsing 
> context of the script entry point ? that fits the implemented behavior, 
> but maybe should be mentioned in the iframe sandbox/allow-scripts 
> section of the spec ?

On Sat, 22 Jun 2013, Adam Barth wrote:
> 
> That's the behavior I would expect.  You can also do the following:
> 
> var iframe = document.getElementById('foo'); 
> iframe.contentWindow.alert("hello");
> 
> The allow-scripts sandbox flag doesn't block the script interfaces 
> inside the iframe.  It just prevents content inside the iframe from 
> triggering script execution.  In this case, the content outside the 
> iframe is the one triggering the script execution.

I agree with Adam that executing the eval() is consistent with the HTML 
spec. The reasoning is that the "eval" is done by JavaScript itself, which 
doesn't check if scripting is enabled when it runs the script. The 
scripting-is-enabled stuff is only checked when HTML itself tries to 
compile or run a script, e.g. in a <script> block or event handler.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Tuesday, 23 July 2013 20:33:11 UTC