- From: Mike West <mkwst@google.com>
- Date: Tue, 14 Jul 2015 09:54:28 +0200
- To: Daniel Veditz <dveditz@mozilla.com>
- Cc: David Bruant <bruant.d@gmail.com>, Chris Coyier <chriscoyier@gmail.com>, WHAT Working Group Mailing List <whatwg@whatwg.org>, Boris Zbarsky <bzbarsky@mit.edu>, Alex Russell <slightlyoff@google.com>, Ian Hickson <ian@hixie.ch>
On Thu, Jul 9, 2015 at 5:28 PM, Daniel Veditz <dveditz@mozilla.com> wrote: > On Mon, Jul 6, 2015 at 2:47 AM, Mike West <mkwst@google.com> wrote: > >> I've dropped the opener/openee-disowning behavior from my proposal, >> and renamed the sandboxing keyword to `allow-popups-to-escape-sandbox` in >> >> https://wiki.whatwg.org/index.php?title=Iframe_sandbox_improvments&diff=9958&oldid=9955 > > > βIt appears that this new keyword as described would still require the use > of allow-popups in addition to allow-popups-to-escape-sandbox. Since it > doesn't make any sense on its own can you change it so that either keyword > allows popups to happen? That it, propose changing > > [Set] The sandboxed auxiliary navigation browsing context flag > <https://developers.whatwg.org/origin-0.html#sandboxed-auxiliary-navigation-browsing-context-flag>, > unless tokens > contains the allow-popups keyword. > > to > > [Set] The sandboxed auxiliary navigation browsing context flag > <https://developers.whatwg.org/origin-0.html#sandboxed-auxiliary-navigation-browsing-context-flag>, > unless tokens > contains the allow-popups or *allow-popups-to-escape-sandbox* keyword. > > β(might then require changing -to-escape- to -that-escape-)β > My only concern with this is that folks might disallow certain sanboxing flags that they know are dangerous, which might mean that their CMS would block `allow-plugins`, but might allow new flags (which would then allow someone to `allow-plugins-to-escape-sandbox`. This kind of blacklisting is probably a bit far fetched, so I could live with the behavior if you feel strongly about it, but I'd prefer to keep the changes as small and additive as possible. -mike
Received on Tuesday, 14 July 2015 07:55:16 UTC