[whatwg] The <iframe> element and sandboxing ideas

Ian Hickson ian at hixie.ch
Fri Feb 13 15:06:25 PST 2009

(Please pick one mailing list when replying, so as to reduce 

On Thu, 22 May 2008, Boris Zbarsky wrote:
> Ian Hickson wrote:
> >      - by default, content in sandboxed browsing contexts, and any
> >        browsing contexts nested in them
> How do those nested browsing contexts come about, given that later you say:
> >     - content in those browsing contexts cannot create new browsing
> >       contexts or open modal dialogs or alerts
> ?

My summary was under-precise, my apologies. The spec itself seems to be 
unambiguous here, though let me know if I missed anything.

> >        have a unique origin
> >        (independent of the origin of their URI); this can be overriden
> >        using the "allow-same-origin" keyword
> So the parent page cannot script the contents of the iframe by default, right?


> >      - by default, script in those browsing contexts cannot run; this can
> >        be overriden using the "allow-scripts" keyword
> What happens if the parent page sets window.location to a javascript: URI on
> the sandbox iframe?  Does the script run?  If so, in which browsing context?

If the "allow-same-origin" flag is not set, the javascript: doesn't run, 
as cross-orgin javascript: execution is blocked.

If the "allow-scripts" flag is not set, uh, *fixes error in the spec*.

Ok, if the "allow-scripts" flag is not set, then javascript: doesn't run, 
as javascript execution is blocked in sandboxed browsing contexts.

> >    causes the iframe to size vertically to the bounding box
> >    of the contents, and horizontally to the width of the container
> I assume that the bounding box is computed after setting the width?

No need to assume. :-)

The spec text is at:


Please do let me know if that is suboptimal.

> >    and the style sheets that apply to the <iframe>
> >    must also apply to the contents.
> But the ' ' and '>' combinators don't cross the iframe boundary, right?

It's as if the style sheets were imported directly by the inner frame.

> > This is all HIGHLY EXPERIMENTAL. I am looking for feedback on the 
> > general approaches taken.
> As someone else pointed out, this doesn't seem like it would be usable 
> without some UA sniffing or something, as things stand.

Indeed. If someone can come up with a way of making this work in legacy 
UAs, I'd certainly be happy to change the spec to do that.

> > There are various things that this doesn't address yet; e.g. there's 
> > no way to force (or even allow) a non-seamless iframe to open links in 
> > the parent window.
> This could be an @sandbox keyword value.


> > This attribute would take a string which would then be interpreted as 
> > the source document markup of an HTML document, much like the above
> This seems very prone to security issues (injection of the closing quote 
> in the content) to me...  The base64 approach is nice in that you can't 
> shoot yourself in the foot with it.

You would only have to escape two characters (" and &, and in fact only 
the " is needed to be safe). Base64 would indeed be safer. (Right now it's 
the only option, as I haven't introduced doc='' yet.) But escaping just 
one character seems like a pretty low bar.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list