[whatwg] Proposal: Two changes to iframe@sandbox from Mike West on 2015-05-11 (public-whatwg-archive@w3.org from May 2015)

From: Mike West <mkwst@google.com>
Date: Mon, 11 May 2015 06:11:12 +0200
To: WHAT Working Group Mailing List <whatwg@whatwg.org>
Cc: Chris Coyier <chriscoyier@gmail.com>, David Bruant <bruant.d@gmail.com>, Ian Hickson <ian@hixie.ch>, Alex Russell <slightlyoff@google.com>
Message-ID: <CAKXHy=cYYpu7UnHjJZ2uTEhj2MZtp8QbzF+squML6TShWtgmSw@mail.gmail.com>

(BCC: public-webappsec@w3.org)

Hello, wonderful whatwg@ folks!

I've talked with a few folks from Google's advertising teams who are
interested in using sandboxed iframes to mitigate the risks associated with
ads. They've flagged two things that they'd like to see happen in the
future:

1. Block usage of `alert()` (and its friends `confirm()`, `prompt()`, and
`print()` (and `showModalDialog()` for browsers that support it)).

2. Allow sandboxed frames to spawn new windows without forcing the sandbox
upon them. This would allow the advertisement itself to be sandboxed,
without forcing the same restrictive flags upon a landing page.

# Proposal

1. Block modal dialogs from inside sandboxed frames. That is:

* `alert(...)` would return without popping up a dialog.
* `confirm(...)` would return `false` without popping up a dialog.
* `prompt(...)` would return `null` without popping up a dialog.
* `print(...)` would return without popping up a dialog.

This was discussed briefly at
https://lists.w3.org/Archives/Public/public-whatwg-archive/2014May/0002.html,
but I didn't find any follow-up (CCing folks from that thread). I've added
metrics to Chrome in https://codereview.chromium.org/1121053002, but it
will take a few weeks to get good data. Given the low usage of sandboxes in
general (~0.5% of page views, according to
https://www.chromestatus.com/metrics/feature/timeline/popularity/672), I
suspect we could fairly easily make this change.

2. Add a `allow-unsandboxed-auxiliary` keyword to those supported by the
`sandbox` attribute, which, when present, would allow auxiliary browsing
contexts created by `window.open` and `target="_blank"` links to create
clean browsing contexts, unaffected by the sandbox which spawned them.

WDYT?

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Monday, 11 May 2015 04:11:57 UTC