[whatwg] iframe sandbox allow-bottom-navigation
Adam Barth
w3c at adambarth.com
Mon Sep 6 09:42:50 PDT 2010
What do you mean by access to the iframe's browsing context? Is that
access you would have if the iframe were not sandboxed?
Adam
On Mon, Sep 6, 2010 at 7:31 AM, Nick Vidal <nick at iss.im> wrote:
> In addition to allow-top-navigation for the iframe's sandbox
> attribute, I propose the opposite: allow-bottom-navigation. This would
> allow a parent document to have access to the iframe's
> browsing-context (even when the user has navigate to a different
> domain).
>
> I'm building a Webtop (a Desktop Environment on top of the Web) that
> allows users to navigate websites securely through iframes [note 1].
> An iframe is necessary to protect the Webtop from being compromised by
> an untrusted website. However, this also restricts the Webtop from
> accessing the browsing-context of the iframe.
>
> The allow-bottom-navigation would permit the Webtop:
>
> a) to provide independent navigation controls for each iframe [note 2];
> b) to bookmark a website;
> c) to save a session (i.e. to save all opened task windows, including
> those that have an iframe).
>
> I don't see any security risks, since the parent document would have
> access only to the browsing context of the iframe. No other access
> would be granted.
>
> Best regards,
> Nick
>
> Notes:
> 1) More information here: http://itop.iss.im/
> 2) As previously discussed here:
> http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2010-August/027884.html
>
More information about the whatwg
mailing list