- From: Mike West <mkwst@google.com>
- Date: Mon, 11 May 2015 09:28:44 +0200
- To: Jim Manico <jim.manico@owasp.org>
- Cc: WHAT Working Group Mailing List <whatwg@whatwg.org>, Chris Coyier <chriscoyier@gmail.com>, David Bruant <bruant.d@gmail.com>, Ian Hickson <ian@hixie.ch>, Alex Russell <slightlyoff@google.com>
On Mon, May 11, 2015 at 9:19 AM, Jim Manico <jim.manico@owasp.org> wrote: > The whole purpose of a sandbox is to limit what content inside of it can > do. I want to limit where that sandbox can open windows with full > cookie/script/etc access. > And you can do so by _not_ specifying the new flag I'm proposing. :) Again `<iframe sandbox>`'s behavior would not change. The proposal would add new behavior only for something like `<iframe sandbox="allow-unsandboxed-auxiliary allow-popup">`. > So essentially I want to say, "You can show your ad, you cant run a script > or access my main window. Also, you can only open full-access windows back > to the same domain that your ad came from." > If the ad comes from `advertising-is-awesome.net`, but is pointing users to the excellent products at `products-are-nice.com`, how would your proposal allow a click on the ad to navigate a user to the excellent products in an unsandboxed window (e.g. one that has an origin)? I'd suggest that that's an essential component. It's certainly essential to advertisers. > Is that to extreme of an ask? I just dont like the idea that a sandboxed > resource has full access to open any new window. It seems excessive and can > exploit CSRF vulns in a way a full sandboxed iFrame as I'm describing could > not. > I still don't understand the threat model you're proposing. That is, I don't see sandboxing as a CSRF defense at all. Sandboxed frames can navigate themselves to any origin right now, and load any origin in a frame. If the `allow-popups` flag is set, it can open auxiliary windows. If the `allow-forms` flag is set, it can POST to arbitrary origins. -mike -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Monday, 11 May 2015 07:29:29 UTC