- From: Mike West <mkwst@google.com>
- Date: Mon, 11 May 2015 07:33:40 +0200
- To: Jim Manico <jim.manico@owasp.org>
- Cc: WHAT Working Group Mailing List <whatwg@whatwg.org>, Chris Coyier <chriscoyier@gmail.com>, David Bruant <bruant.d@gmail.com>, Ian Hickson <ian@hixie.ch>, Alex Russell <slightlyoff@google.com>
On Mon, May 11, 2015 at 7:27 AM, Jim Manico <jim.manico@owasp.org> wrote: > > 2. Allow sandboxed frames to spawn new windows without forcing the > sandbox upon them. > > I think this needs to be restricted so sandboxed iFrames cannot spawn new > windows back to the same domain - or better yet may only spawn windows to > limited domain/domains driven by the initial ad request. > What risk do you see that mitigating? How would you expect it to behave with regard to redirects or navigations? I guess I don't see the value in adding these kinds of restrictions, and (especially given the target audience, and their predilection for tons and tons of cross-origin redirects) it seems like making it easier to sandbox the inlined frame outweighs the desire to lock down the out-of-line auxiliary browsing context. Also, note that the proposal already makes the behavior opt-in via the `allow-unsandboxed-auxiliary` keyword (it wouldn't change the behavior of any existing sandboxed frame), and browsers generally throttle the creation of popups in various ways (Chrome allows only one popup per user gesture, for instance). -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Monday, 11 May 2015 05:34:23 UTC