[whatwg] Please consider dropping the "sandbox" attribute from the <iframe> element

Tantek Çelik tantek at cs.stanford.edu
Tue Aug 3 12:10:26 PDT 2010

On Mon, Aug 2, 2010 at 6:41 AM, Maciej Stachowiak <mjs at apple.com> wrote:
> On Aug 1, 2010, at 6:59 PM, Tantek Çelik wrote:
>> Summary: The new 'sandbox' feature on <iframe> should be considered
>> for removal. It needs a security review, it will be a lot of work to
>> implement properly, and may not actually solve the problem it is
>> intending to solve.
>> More details here:
>> http://wiki.whatwg.org/wiki/Iframe_Sandbox
>> I encourage fellow web authors and browser implementers to add their
>> opinions/comments to that wiki page.
> As other have mentioned, <iframe sandbox> has been implemented in WebKit for some time. Additional points of information:
> 1) It's shipping in current versions of Safari and Chrome.
> 2) Security experts have reviewed it. @sandbox itself seems pretty solid, although there are possibly issues with related features such as text/html-sandboxed and @seamless.
> 3) Content has been built using it.
> 4) While it's unclear if <iframe sandbox> will work well for comments or other such cases of seamless untrusted content, it seems clearly useful for use cases like gadgets and ads.
> While more security review is always welcome, it seems like the basic idea is solid, and it's demonstrably implementable. The initial patch implementing it for WebKit can be seen here: <http://trac.webkit.org/changeset/51577>. This patch was 100k, but more than half of it is tests and the ChangeLog entry.

Ian, Adam, Maciej, I very much appreciate the follow-up information
you provided regarding this proposal.

I've captured it on the WHATWG wiki here:


The only outstanding requests I have are (on that wiki page)

1. Adam, it would be great if you could write up the "summary of all the
security discussion" - or at least provide links to some of it for
further reading.


2. Maciej, could you provide a few URLs to  "content [that] has been
built using it." ?


3. Maciej, could you provide code examples for how sandbox could be
used for the use cases you mention of gadgets and ads?


Thanks much,


http://tantek.com/ - I made an HTML5 tutorial! http://tantek.com/html5

More information about the whatwg mailing list