- From: Mike West <mkwst@google.com>
- Date: Tue, 12 May 2015 05:46:26 +0200
- To: Justin Dolske <dolske@mozilla.com>
- Cc: David Bruant <bruant.d@gmail.com>, Jim Manico <jim.manico@owasp.org>, WHAT Working Group Mailing List <whatwg@whatwg.org>, Chris Coyier <chriscoyier@gmail.com>, Alex Russell <slightlyoff@google.com>, Brad Hill <hillbrad@gmail.com>, Ian Hickson <ian@hixie.ch>
On Mon, May 11, 2015 at 11:59 PM, Justin Dolske <dolske@mozilla.com> wrote: > On Mon, May 11, 2015 at 7:13 AM, Mike West <mkwst@google.com> wrote: > >> > The worst offender: linking to things that are .htpasswd protected and >> it >> > pops up that authentication modal. >> > >> >> I wouldn't be terribly averse to dropping support for that inside a >> sandbox. Especially a sandbox without `allow-same-origin`. >> >> > Firefox sorta does this by default, as of > https://bugzilla.mozilla.org/show_bug.cgi?id=647010. At least it appears > to for cross-origin iframes, which I would expect to be the normal case for > ads? > Interesting! Thanks for the pointer to the bug. If Firefox is already going this route, I don't see any reason Chrome shouldn't follow. It makes sense to me, in any event. > Also, along with blocking alert() et al from sandboxed iframes, it would > be good to include the onbeforeunload dialog. It's a pretty common target > for abuse. We've got a bug to disable it entirely in iframes (1131187), but > no one is actively working on it. > Ah, yes. I forgot about `onbeforeunload`. I'd happily kill that inside a sandbox as well. :) -mike -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Tuesday, 12 May 2015 03:47:11 UTC