[whatwg] iframe sandbox allow-bottom-navigation

Nick Vidal nick at iss.im
Mon Sep 6 07:31:37 PDT 2010


In addition to allow-top-navigation for the iframe's sandbox
attribute, I propose the opposite: allow-bottom-navigation. This would
allow a parent document to have access to the iframe's
browsing-context (even when the user has navigate to a different
domain).

I'm building a Webtop (a Desktop Environment on top of the Web) that
allows users to navigate websites securely through iframes [note 1].
An iframe is necessary to protect the Webtop from being compromised by
an untrusted website.  However, this also restricts the Webtop from
accessing the browsing-context of the iframe.

The allow-bottom-navigation would permit the Webtop:

a) to provide independent navigation controls for each iframe [note 2];
b) to bookmark a website;
c) to save a session (i.e. to save all opened task windows, including
those that have an iframe).

I don't see any security risks, since the parent document would have
access only to the browsing context of the iframe. No other access
would be granted.

Best regards,
Nick

Notes:
1) More information here: http://itop.iss.im/
2) As previously discussed here:
http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2010-August/027884.html



More information about the whatwg mailing list