[whatwg] some thoughts on sandboxed IFRAMEs

Adam Barth whatwg at adambarth.com
Sun Jan 24 03:19:10 PST 2010


On Sun, Jan 24, 2010 at 11:52 AM, Ian Hickson <ian at hixie.ch> wrote:
> On Fri, 11 Dec 2009, Michal Zalewski wrote:
>> 2.1) The ability to disable loading of external resources (images,
>> scripts, etc) in the sandboxed document. The common usage scenario is
>> when you do not want the displayed document to "phone home" for privacy
>> reasons, for example in a web mail system.
>
> Good point. Should we make sandbox="" disable off-origin network requests?

In general, stopping malicious content from exfiltrating data isn't
practical.  For example, even including a single hyperlink is often
sufficient to exfiltrate a large amount of data.  In user agents that
prefetch DNS, the user doesn't even need to click on the link.

> On Sun, 13 Dec 2009, Adam Barth wrote:
>> I'm very interested in a solution that works for the following use
>> cases:
>>
>> 1) A web page wants to display untrusted (i.e., restricted) HTML
>> received via cross-site XMLHttpRequest or postMessage.
>
> Do you have a concrete use case for which <iframe> doesn't work?

<iframe sandbox srcdoc> might work nicely for this use case, actually,
especially because setting srcdoc from the DOM removes the need to
escape ".

Adam


More information about the whatwg mailing list