[whatwg] Additional attribute value for iframe sandbox

Ian Hickson ian at hixie.ch
Mon Jul 9 17:47:00 PDT 2012

On Mon, 30 Apr 2012, Tim Streater wrote:
> I'd like to request that it be possible for links in sandboxed iframes, 
> when clicked, to open in a new window. My reading of the documentation 
> suggests that in a sandboxed iframe, links are disabled except that 
> "allow-top-navigation" permits the equivalent of "target='_top'". In 
> effect, I'd like a new value that permits "target='_blank'". Testing 
> today tells me that in fact in Safari 5.1.5 at least, a sandboxed iframe 
> does not interfere in any way with links.
> My use case is this. My application, a mail client, receives html emails 
> and uses an iframe to display them. A good example of such a mail can be 
> seen here:
> http://www.newscientist.com/data/projects/newsletter/newsletter20120430rwau.html
> (When I receive it, the recipient's email address is in the bottom part 
> of the page rather than #emailaddr#.) This is an example of a trusted 
> email which has links. At present, my application strips out scripts as 
> a primitive security measure, but I'd rather use a sandboxed iframe if 
> possible. However, a user will expect to be able to click on a link in 
> such an email and have a new window opened, separate from the email 
> client. Hence my request for a new value for the sandbox attribute.

On Mon, 30 Apr 2012, Charles Pritchard wrote:
> On 4/30/12 2:04 PM, Tim Streater wrote:
> > On 30 Apr 2012 at 21:17, Charles Pritchard<chuck at jumis.com>  wrote:
> > > They've got an allow-popup in IE and I think WebKit. It's just a 
> > > little slow going in getting it firmly out there.
> >
> > Yes, I saw that as I worked on through the archive. But they want to 
> > enforce the same restrictions on the newly-opened window as the iframe 
> > had. I'd prefer no restrictions, but also no connection back from the 
> > opened window to its parent. IOW, just as if one had opened a new 
> > browser window and typed the URI in manually.
> The about:blank + <meta refresh> hack is no fun; the thing used to break 
> out of origin in webkit.
> I'd hoped iframe sandbox had that solved.

Well, nothing stops the user from opening any links the user wants to open 
wherever the user wants to open them. All sandbox="" does is prevent the 
page from automatically opening pages.

I'm not 100% clear on what you're trying to block with sandbox if that's 
not sufficient. Maybe if you could describe your threat model in more 
detail it would be clearer?

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list