W3C home > Mailing lists > Public > whatwg@whatwg.org > September 2015

Re: [whatwg] `iframe[@sandbox]`: "sandblaster" JS library for analysis/modification

From: James M. Greene <james.m.greene@gmail.com>
Date: Wed, 30 Sep 2015 14:37:20 -0500
Message-ID: <CALrbKZgkAzYG+JA0cX=5N4Sh=s8NrkazVSQG_5=K1ZopvUKZZQ@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: WHAT Working Group Mailing List <whatwg@whatwg.org>
On Wed, Sep 30, 2015 at 10:51 AM, Mike West <mkwst@google.com> wrote:

> On Wed, Sep 30, 2015 at 4:56 PM, James M. Greene <james.m.greene@gmail.com
> > wrote:
>>
>> *aaaaand* potentially modifying/dismantling
>> iframe sandboxes.
>>
>
> Are you able to do this in any cases other than `allow-same-origin` and
> `allow-scripts`? If so, we should fix them. :)
>

I haven't spotted any such holes, though I also haven't tested it in all of
the various browser/OS configurations.  Again, you can see the live
analysis results for your browser at
http://jamesmgreene.github.io/sandblaster/test-iframes.html :)



> Thanks for putting this together!
>

Welcomed!  It was an interesting learning experience for me.


Sincerely,
   James Greene
Received on Wednesday, 30 September 2015 19:38:07 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:35 UTC