[whatwg] @sandbox and navigation top

Adam Barth whatwg at adambarth.com
Sat Feb 13 00:36:20 PST 2010


On Sat, Feb 13, 2010 at 12:08 AM, Michal Zalewski <lcamtuf at coredump.cx> wrote:
>> Perhaps we want an "allow-frame-busting" directive?  In the
>> implementation we have an "allow-navigation" bit that covers
>> navigation |top| as well as window.open, etc.  Maybe we want a more
>> general directive that twiddles this bit?
>
> I'm wondering if sites want to have control over the type of
> navigation: navigating the top-level context versus opening a new
> window? In particular, I am thinking about ads in embeddable gadgets
> (on social sites, or in places such as Docs, Wave, etc): you do not
> want the gadget to interfere with the presentation of the page by
> triggering disruptive and unsolicited top frame transitions (as this
> could be used for a crude DoS - in fact, IIRC, there is some history
> along these lines), but you may bey OK with a pop-up ad following a
> click.

Yeah, I think there are use cases for both top-level navigation and
window.open from sandboxed context.  I suspect there's some trade off
between complexity and fine-grained control.

Adam



More information about the whatwg mailing list