[whatwg] some thoughts on sandboxed IFRAMEs

Michal Zalewski lcamtuf at coredump.cx
Sun Dec 13 13:38:18 PST 2009

[...sorry for splitting the response...]

> People screw up CSRF tokens all the time.  The closing tag nonce
> design has been floating around for years.  The earliest variant I
> could find is Brendan's <jail> tag.

Sure, I hinted it not as a brilliant new idea, but as a possibilty.

I do think giving it - or just anything more flexible as frames - as
an option should be relatively simple when seamless sandbox frames are
implemented, and that it would make it infinitely more useful in
places where it would arguably do much more good.

If the authors wish to restrict this model to a specific ad / gadget
use case, and consciously decided the costs of extending it to a more
general sandboxing appraoch outweigh the benefits, that's definitely
fine; but this is not evident. If so, we need to revise the spec to
make this clear, perhaps nuke features such as allow-same-origin
altogether, and definitely scrape examples such as:

"<p>We're not scared of you! Here is your content, unedited:</p>
<iframe sandbox src="getusercontent.cgi?id=12193"></iframe>"


More information about the whatwg mailing list