[whatwg] Cross-origin iframe and @sandbox=allow-same-origin
jmajnert at gmail.com
Mon Feb 25 02:13:36 PST 2013
>From what I understand, it goes like this:
Using the sandboxing flag on an iframe causes several fine-grained
flags to be set (point 3 of the algorithm). One of the flags -
"sandboxed origin browsing context flag" forces the document into
unique origin and blocks access to document.cookie and localStorage.
This flag is set unless "allow-same-origin" is used.
So in effect, using "allow-same-origin" on an iframe containing
third-party site will sandbox it but will still allow it to use its
own document.cookie and localStorage, without giving any access to
parent browsing context. The other fine-grained sandboxing flags will
block it. In the example you gave, the "sandboxed navigation browsing
context flag" would kick in and prevent this behaviour.
2013/2/25 David Bruant <bruant.d at gmail.com>:
> The current description of the allow-same-origin sandbox token in the spec
> " The allow-same-origin keyword allows the content to be treated as being
> from the same origin instead of forcing it into a unique origin;"
> This is a very scary wording. Understood naively, I understand I could host
> a page in the "davidbruant.github.com" domain with an iframe to anywhere
> (pick your favorite social network/email client website), add
> @sandbox="allow-same-origin" and suddenly, I'd be able to look at the
> content (since the iframe would be treated as being from the same origin).
> Obviously, that's not how it works (I say "obviously", because browser
> vendors would have not implemented what I just described. If they had, the
> world might have collapsed quickly).
> From what I've tested both in Firefox and Chrome, when I have an iframe from
> a different domain, I can get the contentDocument, but it looks like
> about:blank from what I can observe in the container. Where is this behavior
> Also, in some notes , I can read:
> "Second, [allow-same-origin] can be used to embed content from a third-party
> site, sandboxed to prevent that site from opening pop-up windows, etc,
> without preventing the embedded page from communicating back to its
> originating site, using the database APIs to store data, etc."
> I fail to understand what is specific about allow-same-origin that allows
> that without adding also allow-scripts or allow-forms.
> As a more general question: does iframe at sandbox="allow-same-origin" make a
> page and a cross-origin iframe further connected than they are currently
> without the keyword?
More information about the whatwg