[whatwg] some thoughts on sandboxed IFRAMEs

Michal Zalewski lcamtuf at coredump.cx
Sun Dec 13 17:41:28 PST 2009

> <span sandbox><span>But this span will have another span as its
> child, sandboxed.  The regular parser sees no entities here, only a
> nested span!</span></span>

That's a pretty reasonable variant for lightweight sandboxes, IMO. It
does not have the explicit assurance of a token-based approach (i.e.,
will not fail right away if the user gets it wrong), but it's better
than data: URLs or @doc in that - as you noted - it will fail quickly
if the encapsulated HTML is not escaped, while this may still go
unnoticed until abused:

<iframe sandbox doc="<h1>User input without escaping"></iframe>
<iframe sandbox src="data:text/html,<h1>User input without escaping"></iframe>

As a side note, the other benefit of sandboxed spans and divs in such
a design is that you can then have .innerHTML on sandbox-tagged
elements automagically conform to the sandboxing rules, without the
need for .toStaticHTML, .secureInnerHTML, or similar approaches (which
are error-prone by the virtue of tying sanitization to data access
method, rather than a particular element).


More information about the whatwg mailing list