Re: [whatwg] Please consider dropping the sandbox attribute from the iframe element
On Sun, 1 Aug 2010, Tantek �~Gelik wrote: In speaking with fellow developers at Mozilla, I've collected the following feedback: The sandbox feature and functionality needs a thorough security review. I encourage browser vendors to perform thorough security reviews of _anything_ they implement. It will be a lot of work to implement properly. This is possible, yes. There exists at least one implementation already, though, so it does not seem to be excessive work. It may not actually solve the problem it is intending to solve. Could you elaborate on this? I haven't removed the feature, since it has solid use cases and implementations have begun. -- Ian Hickson U+1047E)\._.,--,'``.fL http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Re: [whatwg] Please consider dropping the sandbox attribute from the iframe element
On Mon, Aug 2, 2010 at 6:41 AM, Maciej Stachowiak m...@apple.com wrote: On Aug 1, 2010, at 6:59 PM, Tantek Çelik wrote: Summary: The new 'sandbox' feature on iframe should be considered for removal. It needs a security review, it will be a lot of work to implement properly, and may not actually solve the problem it is intending to solve. More details here: http://wiki.whatwg.org/wiki/Iframe_Sandbox I encourage fellow web authors and browser implementers to add their opinions/comments to that wiki page. As other have mentioned, iframe sandbox has been implemented in WebKit for some time. Additional points of information: 1) It's shipping in current versions of Safari and Chrome. 2) Security experts have reviewed it. @sandbox itself seems pretty solid, although there are possibly issues with related features such as text/html-sandboxed and @seamless. 3) Content has been built using it. 4) While it's unclear if iframe sandbox will work well for comments or other such cases of seamless untrusted content, it seems clearly useful for use cases like gadgets and ads. While more security review is always welcome, it seems like the basic idea is solid, and it's demonstrably implementable. The initial patch implementing it for WebKit can be seen here: http://trac.webkit.org/changeset/51577. This patch was 100k, but more than half of it is tests and the ChangeLog entry. Ian, Adam, Maciej, I very much appreciate the follow-up information you provided regarding this proposal. I've captured it on the WHATWG wiki here: http://wiki.whatwg.org/wiki/Iframe_Sandbox#why_sandbox_should_be_kept The only outstanding requests I have are (on that wiki page) 1. Adam, it would be great if you could write up the summary of all the security discussion - or at least provide links to some of it for further reading. http://wiki.whatwg.org/wiki/Iframe_Sandbox#security 2. Maciej, could you provide a few URLs to content [that] has been built using it. ? http://wiki.whatwg.org/wiki/Iframe_Sandbox#examples_in_the_wild 3. Maciej, could you provide code examples for how sandbox could be used for the use cases you mention of gadgets and ads? http://wiki.whatwg.org/wiki/Iframe_Sandbox#use_cases Thanks much, Tantek -- http://tantek.com/ - I made an HTML5 tutorial! http://tantek.com/html5
Re: [whatwg] Please consider dropping the sandbox attribute from the iframe element
On Aug 1, 2010, at 6:59 PM, Tantek Çelik wrote: Summary: The new 'sandbox' feature on iframe should be considered for removal. It needs a security review, it will be a lot of work to implement properly, and may not actually solve the problem it is intending to solve. More details here: http://wiki.whatwg.org/wiki/Iframe_Sandbox I encourage fellow web authors and browser implementers to add their opinions/comments to that wiki page. As other have mentioned, iframe sandbox has been implemented in WebKit for some time. Additional points of information: 1) It's shipping in current versions of Safari and Chrome. 2) Security experts have reviewed it. @sandbox itself seems pretty solid, although there are possibly issues with related features such as text/html-sandboxed and @seamless. 3) Content has been built using it. 4) While it's unclear if iframe sandbox will work well for comments or other such cases of seamless untrusted content, it seems clearly useful for use cases like gadgets and ads. While more security review is always welcome, it seems like the basic idea is solid, and it's demonstrably implementable. The initial patch implementing it for WebKit can be seen here: http://trac.webkit.org/changeset/51577. This patch was 100k, but more than half of it is tests and the ChangeLog entry. Regards, Maciej
[whatwg] Please consider dropping the sandbox attribute from the iframe element
Summary: The new 'sandbox' feature on iframe should be considered for removal. It needs a security review, it will be a lot of work to implement properly, and may not actually solve the problem it is intending to solve. More details here: http://wiki.whatwg.org/wiki/Iframe_Sandbox I encourage fellow web authors and browser implementers to add their opinions/comments to that wiki page. Thanks! Tantek -- http://tantek.com/ - I made an HTML5 tutorial! http://tantek.com/html5
Re: [whatwg] Please consider dropping the sandbox attribute from the iframe element
We (webkit/chrome) have had iframe sandbox implemented for over half a year. We've found some bugs in implementation here and there and fixed them. It solves a very real problem, has already been implemented, and your argument provides absolutely no information. Can you elaborate? On Sun, Aug 1, 2010 at 6:59 PM, Tantek Çelik tan...@cs.stanford.edu wrote: Summary: The new 'sandbox' feature on iframe should be considered for removal. It needs a security review, it will be a lot of work to implement properly, and may not actually solve the problem it is intending to solve. More details here: http://wiki.whatwg.org/wiki/Iframe_Sandbox I encourage fellow web authors and browser implementers to add their opinions/comments to that wiki page. Thanks! Tantek -- http://tantek.com/ - I made an HTML5 tutorial! http://tantek.com/html5
Re: [whatwg] Please consider dropping the sandbox attribute from the iframe element
There's been a lot of security review, both on this list and in the W3C HTML WG. I've been meaning to write up a summary of all the discussion, but I haven't gotten around to it yet. We ended up tweaking a few aspects, but generally the design seems solid. Adam On Sun, Aug 1, 2010 at 6:59 PM, Tantek Çelik tan...@cs.stanford.edu wrote: Summary: The new 'sandbox' feature on iframe should be considered for removal. It needs a security review, it will be a lot of work to implement properly, and may not actually solve the problem it is intending to solve. More details here: http://wiki.whatwg.org/wiki/Iframe_Sandbox I encourage fellow web authors and browser implementers to add their opinions/comments to that wiki page. Thanks! Tantek -- http://tantek.com/ - I made an HTML5 tutorial! http://tantek.com/html5