Re: [whatwg] Proposal: Two changes to iframe@sandbox from Mike West on 2015-05-12 (public-whatwg-archive@w3.org from May 2015)

From: Mike West <mkwst@google.com>
Date: Tue, 12 May 2015 18:55:06 +0200
To: Ian Melven <ian.melven@gmail.com>
Cc: WHAT Working Group Mailing List <whatwg@whatwg.org>, Chris Coyier <chriscoyier@gmail.com>, David Bruant <bruant.d@gmail.com>, Ian Hickson <ian@hixie.ch>, Alex Russell <slightlyoff@google.com>
Message-ID: <CAKXHy=fJV+D1QpARwjw2SwY137fPhBYup-5SUbPeaVDRfiEPwg@mail.gmail.com>

On Tue, May 12, 2015 at 6:45 PM, Ian Melven <ian.melven@gmail.com> wrote:

> This is what I expected. showModalDialog is a bit of an edge case perhaps.
> Sounds like this needs a new sandbox attribute value to re-opt back in to
> it like 'allow-modals' or whatever you suggested :) This is a behavior
> change as you said, but I defer to your stats on the (lack of) usage of
> iframe sandbox :(
>

Since Chrome has dropped support for `showModalDialog` entirely, I'm not
terribly worked up about it. :)

If folks want an opt-in, then `allow-modals` is probably a fine way to do
it. Again, it's not clear to me that there's a _good_ use case for modal
dialogs popping up from a frame (even an unsandboxed frame!).

Yeah, my main point was this should be tied to allow-popups somehow. If we
> proceeded this way ('allow-popups' + 'allow-unsandboxed-popups') to me that
> would mean that sandboxed iframe could only ever open unsandboxed aux
> browsing contexts. I think that's probably OK because we can't trust the
> sandboxed iframe to tell us itself whether an aux context it's opening
> should be sandboxed or not - so making this essentially a one time setting
> for the iframe it can't change seems to be correct.
>

That's the way the prototype I'm playing with works (
https://codereview.chromium.org/1139933002). I don't think there's a good
way to specify that some auxiliary browsing contexts are sandboxed and some
aren't. Especially given the general use case of fourth-, fifth-, and
sixth-party sources, nested somewhere inside the deepest darkest corners of
the iframe displaying the content the user actually sees.

Making it a binary toggle for the frame seems reasonable, given that it's
opt-in in the first place.

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Tuesday, 12 May 2015 16:55:51 UTC