[whatwg] iframe sandbox and top navigation

Ian Hickson ian at hixie.ch
Thu Jul 11 13:23:21 PDT 2013

On Wed, 28 Nov 2012, Ian Melven wrote:
> while working on https://bugzilla.mozilla.org/show_bug.cgi?id=785310 
> (block setting window.top.location from a document sandboxed without 
> 'allow-top-navigation') and discussing the correct behavior with Bobby 
> Holley, I found some interesting differences between what Chrome and IE 
> have implemented around top navigation and iframe sandbox.
> In my testing with Chrome, if you have a sandboxed document with the 
> same origin as the top level document and the sandboxed document has 
> 'allow-same-origin allow-scripts'

Note that that combination is highly insecure. A script in that situation 
can just turn off the sandboxing and reload itself. It's only useful as a 
runtime aid to enforce abstractions, like type checking; it's not a 
security feature once you've got both of those enabled.

> It would be great if the spec could clarify the correct behavior around 
> top navigation when the sandboxed document is/is not same origin with 
> the top level document.

I think it's pretty clear now. Right at the top of the navigation 
algorithm, you check "allowed to navigate"; the situation you are 
describing clearly matches case 2, therefore it's not allowed to navigate, 
since hte "sandboxed top-level navigation browsing context flag" is set -- 
you can only unset it using sandbox="... allow-top-navigation".

> One option would be for Chrome/Webkit to also block the window.top.eval loophole

Given that the file is same-origin and has scripts enabled, it's not a 
loophole. It's a huge gigantic chasm. They could just put in any script 
they wanted into the parent doc. They could remove their own sandboxing.

> but in general we feel that trying to stop this when the documents are 
> same origin would possibly be problematic. Another option would be to 
> not block top navigation when the sandboxed document is same origin with 
> the top level document (which implies it's been sandboxed with 
> 'allow-same-origin' of course).
> From discussions with Bobby, I think we prefer the second option. The 
> restriction on navigating window.top would only be applied in the cross 
> domain case.

I don't understand the use case for this. This particular combination 
isn't one that really makes sense; why would we make exceptions for it?

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list