[whatwg] @sandbox and navigation top
Maciej Stachowiak
mjs at apple.com
Sat Feb 13 02:03:15 PST 2010
On Feb 12, 2010, at 11:54 PM, Adam Barth wrote:
> On Fri, Feb 12, 2010 at 11:48 PM, Michal Zalewski
> <lcamtuf at coredump.cx> wrote:
>>> Can a frame in @sandbox ever navigation the top-level frame? If
>>> not,
>>> that would make it hard to use @sandbox to contain advertisements,
>>> which want to navigate |top| when the user clicks on the ad.
>>
>> Ads would want to be able to do that, but user-controlled gadgets
>> shouldn't. I suppose the top-level page should be able to specify,
>> and
>> the entire @sandbox chain would need to be traversed to make the call
>> (so that @sandbox included on example.com that is prohibited from
>> messing with the top-level frame can't just create a nested frame
>> without the restriction, and bypass the check).
>>
>> I assume that chain-style checking is already a part of the spec, as
>> we obviously don't want other restrictions to be removed in a similar
>> manner?
>
> Yes, the sandbox restrictions collect in subframes.
>
> Perhaps we want an "allow-frame-busting" directive? In the
> implementation we have an "allow-navigation" bit that covers
> navigation |top| as well as window.open, etc. Maybe we want a more
> general directive that twiddles this bit?
Some may want to have a directive that allows only opening new windows
and not navigating the top level. This is the policy Caja tries to
enforce by default for instance. For ads I could imagine wanting only
top-level navigation and not window opening. So maybe this should be
two flags.
Reards,
Maciej
More information about the whatwg
mailing list