[whatwg] @sandbox and navigation top

Maciej Stachowiak mjs at apple.com
Sat Feb 13 02:03:15 PST 2010

On Feb 12, 2010, at 11:54 PM, Adam Barth wrote:

> On Fri, Feb 12, 2010 at 11:48 PM, Michal Zalewski  
> <lcamtuf at coredump.cx> wrote:
>>> Can a frame in @sandbox ever navigation the top-level frame?  If  
>>> not,
>>> that would make it hard to use @sandbox to contain advertisements,
>>> which want to navigate |top| when the user clicks on the ad.
>> Ads would want to be able to do that, but user-controlled gadgets
>> shouldn't. I suppose the top-level page should be able to specify,  
>> and
>> the entire @sandbox chain would need to be traversed to make the call
>> (so that @sandbox included on example.com that is prohibited from
>> messing with the top-level frame can't just create a nested frame
>> without the restriction, and bypass the check).
>> I assume that chain-style checking is already a part of the spec, as
>> we obviously don't want other restrictions to be removed in a similar
>> manner?
> Yes, the sandbox restrictions collect in subframes.
> Perhaps we want an "allow-frame-busting" directive?  In the
> implementation we have an "allow-navigation" bit that covers
> navigation |top| as well as window.open, etc.  Maybe we want a more
> general directive that twiddles this bit?

Some may want to have a directive that allows only opening new windows  
and not navigating the top level. This is the policy Caja tries to  
enforce by default for instance. For ads I could imagine wanting only  
top-level navigation and not window opening. So maybe this should be  
two flags.


More information about the whatwg mailing list