W3C home > Mailing lists > Public > whatwg@whatwg.org > May 2015

Re: [whatwg] Proposal: Two changes to iframe@sandbox

From: Mike West <mkwst@google.com>
Date: Tue, 12 May 2015 05:46:26 +0200
Message-ID: <CAKXHy=d0Thcc62P26ce-YvCwK1xBBwn=gXB6OTJ_GmLjUt6LBg@mail.gmail.com>
To: Justin Dolske <dolske@mozilla.com>
Cc: David Bruant <bruant.d@gmail.com>, Jim Manico <jim.manico@owasp.org>, WHAT Working Group Mailing List <whatwg@whatwg.org>, Chris Coyier <chriscoyier@gmail.com>, Alex Russell <slightlyoff@google.com>, Brad Hill <hillbrad@gmail.com>, Ian Hickson <ian@hixie.ch>
On Mon, May 11, 2015 at 11:59 PM, Justin Dolske <dolske@mozilla.com> wrote:

> On Mon, May 11, 2015 at 7:13 AM, Mike West <mkwst@google.com> wrote:
>
>> > The worst offender: linking to things that are .htpasswd protected and
>> it
>> > pops up that authentication modal.
>> >
>>
>> I wouldn't be terribly averse to dropping support for that inside a
>> sandbox. Especially a sandbox without `allow-same-origin`.
>>
>>
> Firefox sorta does this by default, as of
> https://bugzilla.mozilla.org/show_bug.cgi?id=647010. At least it appears
> to for cross-origin iframes, which I would expect to be the normal case for
> ads?
>

Interesting! Thanks for the pointer to the bug. If Firefox is already going
this route, I don't see any reason Chrome shouldn't follow. It makes sense
to me, in any event.


> Also, along with blocking alert() et al from sandboxed iframes, it would
> be good to include the onbeforeunload dialog. It's a pretty common target
> for abuse. We've got a bug to disable it entirely in iframes (1131187), but
> no one is actively working on it.
>

Ah, yes. I forgot about `onbeforeunload`. I'd happily kill that inside a
sandbox as well. :)

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Tuesday, 12 May 2015 03:47:11 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:31 UTC