[whatwg] iframe sandbox and top navigation
ian at hixie.ch
Thu Jul 11 13:23:21 PDT 2013
On Wed, 28 Nov 2012, Ian Melven wrote:
> while working on https://bugzilla.mozilla.org/show_bug.cgi?id=785310
> (block setting window.top.location from a document sandboxed without
> 'allow-top-navigation') and discussing the correct behavior with Bobby
> Holley, I found some interesting differences between what Chrome and IE
> have implemented around top navigation and iframe sandbox.
> In my testing with Chrome, if you have a sandboxed document with the
> same origin as the top level document and the sandboxed document has
> 'allow-same-origin allow-scripts'
Note that that combination is highly insecure. A script in that situation
can just turn off the sandboxing and reload itself. It's only useful as a
runtime aid to enforce abstractions, like type checking; it's not a
security feature once you've got both of those enabled.
> It would be great if the spec could clarify the correct behavior around
> top navigation when the sandboxed document is/is not same origin with
> the top level document.
I think it's pretty clear now. Right at the top of the navigation
algorithm, you check "allowed to navigate"; the situation you are
describing clearly matches case 2, therefore it's not allowed to navigate,
since hte "sandboxed top-level navigation browsing context flag" is set --
you can only unset it using sandbox="... allow-top-navigation".
> One option would be for Chrome/Webkit to also block the window.top.eval loophole
Given that the file is same-origin and has scripts enabled, it's not a
loophole. It's a huge gigantic chasm. They could just put in any script
they wanted into the parent doc. They could remove their own sandboxing.
> but in general we feel that trying to stop this when the documents are
> same origin would possibly be problematic. Another option would be to
> not block top navigation when the sandboxed document is same origin with
> the top level document (which implies it's been sandboxed with
> 'allow-same-origin' of course).
> From discussions with Bobby, I think we prefer the second option. The
> restriction on navigating window.top would only be applied in the cross
> domain case.
I don't understand the use case for this. This particular combination
isn't one that really makes sense; why would we make exceptions for it?
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg