[whatwg] Please consider dropping the "sandbox" attribute from the <iframe> element

Maciej Stachowiak mjs at apple.com
Mon Aug 2 06:41:46 PDT 2010


On Aug 1, 2010, at 6:59 PM, Tantek Çelik wrote:

> Summary: The new 'sandbox' feature on <iframe> should be considered
> for removal. It needs a security review, it will be a lot of work to
> implement properly, and may not actually solve the problem it is
> intending to solve.
> 
> More details here:
> 
> http://wiki.whatwg.org/wiki/Iframe_Sandbox
> 
> I encourage fellow web authors and browser implementers to add their
> opinions/comments to that wiki page.

As other have mentioned, <iframe sandbox> has been implemented in WebKit for some time. Additional points of information:

1) It's shipping in current versions of Safari and Chrome.
2) Security experts have reviewed it. @sandbox itself seems pretty solid, although there are possibly issues with related features such as text/html-sandboxed and @seamless.
3) Content has been built using it.
4) While it's unclear if <iframe sandbox> will work well for comments or other such cases of seamless untrusted content, it seems clearly useful for use cases like gadgets and ads.

While more security review is always welcome, it seems like the basic idea is solid, and it's demonstrably implementable. The initial patch implementing it for WebKit can be seen here: <http://trac.webkit.org/changeset/51577>. This patch was 100k, but more than half of it is tests and the ChangeLog entry.

Regards,
Maciej




More information about the whatwg mailing list