[whatwg] External link and new window policy [was: @sandbox and navigation top]

Markus Ernst derernst at gmx.ch
Sat Feb 13 04:24:49 PST 2010

Maciej Stachowiak schrieb:
> On Feb 12, 2010, at 11:54 PM, Adam Barth wrote:
>> On Fri, Feb 12, 2010 at 11:48 PM, Michal Zalewski 
>> <lcamtuf at coredump.cx> wrote:
>>>> Can a frame in @sandbox ever navigation the top-level frame?  If not,
>>>> that would make it hard to use @sandbox to contain advertisements,
>>>> which want to navigate |top| when the user clicks on the ad.
>>> Ads would want to be able to do that, but user-controlled gadgets
>>> shouldn't. I suppose the top-level page should be able to specify, and
>>> the entire @sandbox chain would need to be traversed to make the call
>>> (so that @sandbox included on example.com that is prohibited from
>>> messing with the top-level frame can't just create a nested frame
>>> without the restriction, and bypass the check).
>>> I assume that chain-style checking is already a part of the spec, as
>>> we obviously don't want other restrictions to be removed in a similar
>>> manner?
>> Yes, the sandbox restrictions collect in subframes.
>> Perhaps we want an "allow-frame-busting" directive?  In the
>> implementation we have an "allow-navigation" bit that covers
>> navigation |top| as well as window.open, etc.  Maybe we want a more
>> general directive that twiddles this bit?
> Some may want to have a directive that allows only opening new windows 
> and not navigating the top level. This is the policy Caja tries to 
> enforce by default for instance. For ads I could imagine wanting only 
> top-level navigation and not window opening. So maybe this should be two 
> flags.

An "allow-navigation" directive should IMO be ok. Given that a 
navigation element is allowed in the context, the user experience should 
actually not differ whether it is clicked in a sandboxed context or not.

Some off-topic thoughts about this:

Most non-academic websites apply target="_blank" on all external links. 
In order to allow a consistent user experience, it might be worth to 
encourage UAs to offer the following user settings:

1. "Open new tabs rather than windows"
This should not only apply to windows opened with target="_blank" (as it 
is already possible e.g. in Firefox), but also to the ones opened by 

2. "Always open links to other domains in a new tab" (resp. window, if 
the above option is not set)
I would even encourage to set this as the default, as it is a de-facto 
standard at least in commercial and community websites.

More information about the whatwg mailing list