[whatwg] some thoughts on sandboxed IFRAMEs

Aryeh Gregor Simetrical+w3c at gmail.com
Sun Jan 24 12:09:32 PST 2010

On Sun, Jan 24, 2010 at 5:52 AM, Ian Hickson <ian at hixie.ch> wrote:
> What would the "sandbox" do, other than require one level of escaping?
> i.e. what is it protecting against?

<span sandbox>$something</sandbox> was meant to be more or less the
same as <iframe sandbox srcdoc="$something">.  The latter achieves the
same effect but is cleaner and makes more sense.  I must not have
known about the doc="" proposal at that point, but I can't remember
what I was thinking more than a month ago.

On Sun, Jan 24, 2010 at 6:19 AM, Adam Barth <whatwg at adambarth.com> wrote:
> In general, stopping malicious content from exfiltrating data isn't
> practical.  For example, even including a single hyperlink is often
> sufficient to exfiltrate a large amount of data.  In user agents that
> prefetch DNS, the user doesn't even need to click on the link.

DNS prefetching doesn't tell you anything except that someone viewed
the link, right?  And maybe what their ISP is, in a typical case.
Including an image tells you their IP address, User-Agent, and so on.

How can you get any data out of a link with no DNS prefetching?  Some
users will click the link, but not all.  Maybe quite a lot if you
allow arbitrary CSS, of course . . . you could easily make the whole
post a link.  But "everyone who clicks on a given post for some
reason" is still a lot less than "all viewers", which is what image
inclusions will do.

More information about the whatwg mailing list