Re: [whatwg] Proposal: Two changes to iframe@sandbox

On Mon, May 11, 2015 at 7:27 AM, Jim Manico <jim.manico@owasp.org> wrote:

> > 2. Allow sandboxed frames to spawn new windows without forcing the
> sandbox upon them.
>
> I think this needs to be restricted so sandboxed iFrames cannot spawn new
> windows back to the same domain - or better yet may only spawn windows to
> limited domain/domains driven by the initial ad request.
>

What risk do you see that mitigating? How would you expect it to behave
with regard to redirects or navigations? I guess I don't see the value in
adding these kinds of restrictions, and (especially given the target
audience, and their predilection for tons and tons of cross-origin
redirects) it seems like making it easier to sandbox the inlined frame
outweighs the desire to lock down the out-of-line auxiliary browsing
context.

Also, note that the proposal already makes the behavior opt-in via the
`allow-unsandboxed-auxiliary` keyword (it wouldn't change the behavior of
any existing sandboxed frame), and browsers generally throttle the creation
of popups in various ways (Chrome allows only one popup per user gesture,
for instance).

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Monday, 11 May 2015 05:34:23 UTC