W3C home > Mailing lists > Public > whatwg@whatwg.org > May 2015

Re: [whatwg] Proposal: Two changes to iframe@sandbox

From: Mike West <mkwst@google.com>
Date: Mon, 11 May 2015 09:28:44 +0200
Message-ID: <CAKXHy=cgKY++e0z2DCHbn=KO-ubhOYkExncdD7VetVSJ+PwbwA@mail.gmail.com>
To: Jim Manico <jim.manico@owasp.org>
Cc: WHAT Working Group Mailing List <whatwg@whatwg.org>, Chris Coyier <chriscoyier@gmail.com>, David Bruant <bruant.d@gmail.com>, Ian Hickson <ian@hixie.ch>, Alex Russell <slightlyoff@google.com>
On Mon, May 11, 2015 at 9:19 AM, Jim Manico <jim.manico@owasp.org> wrote:

> The whole purpose of a sandbox is to limit what content inside of it can
> do. I want to limit where that sandbox can open windows with full
> cookie/script/etc access.

And you can do so by _not_ specifying the new flag I'm proposing. :)

Again `<iframe sandbox>`'s behavior would not change. The proposal would
add new behavior only for something like `<iframe
sandbox="allow-unsandboxed-auxiliary allow-popup">`.

> So essentially I want to say, "You can show your ad, you cant run a script
> or access my main window.  Also, you can only open full-access windows back
> to the same domain that your ad came from."

If the ad comes from `advertising-is-awesome.net`, but is pointing users to
the excellent products at `products-are-nice.com`, how would your proposal
allow a click on the ad to navigate a user to the excellent products in an
unsandboxed window (e.g. one that has an origin)? I'd suggest that that's
an essential component. It's certainly essential to advertisers.

> Is that to extreme of an ask? I just dont like the idea that a sandboxed
> resource has full access to open any new window. It seems excessive and can
> exploit CSRF vulns in a way a full sandboxed iFrame as I'm describing could
> not.

I still don't understand the threat model you're proposing. That is, I
don't see sandboxing as a CSRF defense at all. Sandboxed frames can
navigate themselves to any origin right now, and load any origin in a
frame. If the `allow-popups` flag is set, it can open auxiliary windows. If
the `allow-forms` flag is set, it can POST to arbitrary origins.


Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Monday, 11 May 2015 07:29:29 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:31 UTC