[whatwg] Cross-origin iframe and @sandbox=allow-same-origin

Janusz Majnert jmajnert at gmail.com
Mon Feb 25 02:13:36 PST 2013

>From what I understand, it goes like this:
Using the sandboxing flag on an iframe causes several fine-grained
flags to be set (point 3 of the algorithm). One of the flags -
"sandboxed origin browsing context flag"[1] forces the document into
unique origin and blocks access to document.cookie and localStorage.
This flag is set unless "allow-same-origin" is used.

So in effect, using "allow-same-origin" on an iframe containing
third-party site will sandbox it but will still allow it to use its
own document.cookie and localStorage, without giving any access to
parent browsing context. The other fine-grained sandboxing flags will
block it. In the example you gave, the "sandboxed navigation browsing
context flag"[2] would kick in and prevent this behaviour.

Janusz Majnert

[1] http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#sandboxed-origin-browsing-context-flag
[2] http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#sandboxed-navigation-browsing-context-flag

2013/2/25 David Bruant <bruant.d at gmail.com>:
> Hi,
> The current description of the allow-same-origin sandbox token in the spec
> is:
> " The allow-same-origin keyword allows the content to be treated as being
> from the same origin instead of forcing it into a unique origin;"
> This is a very scary wording. Understood naively, I understand I could host
> a page in the "davidbruant.github.com" domain with an iframe to anywhere
> (pick your favorite social network/email client website), add
> @sandbox="allow-same-origin" and suddenly, I'd be able to look at the
> content (since the iframe would be treated as being from the same origin).
> Obviously, that's not how it works (I say "obviously", because browser
> vendors would have not implemented what I just described. If they had, the
> world might have collapsed quickly).
> From what I've tested both in Firefox and Chrome, when I have an iframe from
> a different domain, I can get the contentDocument, but it looks like
> about:blank from what I can observe in the container. Where is this behavior
> described?
> Also, in some notes [1], I can read:
> "Second, [allow-same-origin] can be used to embed content from a third-party
> site, sandboxed to prevent that site from opening pop-up windows, etc,
> without preventing the embedded page from communicating back to its
> originating site, using the database APIs to store data, etc."
> I fail to understand what is specific about allow-same-origin that allows
> that without adding also allow-scripts or allow-forms.
> As a more general question: does iframe at sandbox="allow-same-origin" make a
> page and a cross-origin iframe further connected than they are currently
> without the keyword?
> Thanks,
> David
> [1]
> http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#attr-iframe-sandbox-allow-same-origin

More information about the whatwg mailing list