- From: Justin Dolske <dolske@mozilla.com>
- Date: Mon, 11 May 2015 14:59:02 -0700
- To: Mike West <mkwst@google.com>
- Cc: David Bruant <bruant.d@gmail.com>, Jim Manico <jim.manico@owasp.org>, WHAT Working Group Mailing List <whatwg@whatwg.org>, Chris Coyier <chriscoyier@gmail.com>, Alex Russell <slightlyoff@google.com>, Ian Hickson <ian@hixie.ch>
On Mon, May 11, 2015 at 7:13 AM, Mike West <mkwst@google.com> wrote: > > The worst offender: linking to things that are .htpasswd protected and it > > pops up that authentication modal. > > > > I wouldn't be terribly averse to dropping support for that inside a > sandbox. Especially a sandbox without `allow-same-origin`. > > Firefox sorta does this by default, as of https://bugzilla.mozilla.org/show_bug.cgi?id=647010. At least it appears to for cross-origin iframes, which I would expect to be the normal case for ads? Also, along with blocking alert() et al from sandboxed iframes, it would be good to include the onbeforeunload dialog. It's a pretty common target for abuse. We've got a bug to disable it entirely in iframes (1131187), but no one is actively working on it. Justin
Received on Monday, 11 May 2015 21:59:27 UTC