LGTM3
/Daniel
On 2023-06-05 16:20, Mike Taylor wrote:
The risk seems quite low here, thanks for the explanation. LGTM2.
On 6/5/23 6:10 AM, Yoav Weiss wrote:
LGTM1 to remove
On Mon, Jun 5, 2023 at 10:15 AM Arthur Sonzogni
<arthursonzo...@chromium.org> wrote:
Contact emails
arthursonzo...@chromium.org
Explainer
https://docs.google.com/document/d/1_89X4cNUab-PZE0iBDTKIftaQZsFbk7SbFmHbqY54os/edit
Specification
https://html.spec.whatwg.org/#document-open-steps
Design docs
https://docs.google.com/document/d/1_89X4cNUab-PZE0iBDTKIftaQZsFbk7SbFmHbqY54os/edit
Summary
Sandbox flags of the caller are currently applied to the callee
when document.opentargets a different window. Stop doing it.
Blink component
Blink>SecurityFeature>IFrameSandbox
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3EIFrameSandbox>
Motivation
* It makes it difficult for Chrome's implementation to stay in
a consistent state.
* The removed behavior was not specified. Safari and Firefox do
not implement it.
* It had no security benefits.
Initial public proposal
None
Search tags
sandbox <https://chromestatus.com/features#tags:sandbox>, iframe
<https://chromestatus.com/features#tags:iframe>, document.open
<https://chromestatus.com/features#tags:document.open>
TAG review
None
TAG review status
Not applicable
Risks
Interoperability and Compatibility
This should be a trivial removal. Currently, 0.000002% pages are
"potentially" affected:
https://chromestatus.com/metrics/feature/timeline/popularity/4375
In most cases, a less restrictive sandbox flag is not going to
negatively impact the affected pages. So 0.000002% should be seen
as an upper bound. This brings Chrome's implementation closer to
the specification, and closer to Firefox and SafarI. This has a
positive impact on interoperability.
/Gecko/: N/A This aligns Chrome with Firefox, because Firefox
never implemented this behavior.
/WebKit/: N/A This aligns Chrome with Safari, because Safari
never implemented this behavior.
/Web developers/: No signals
/Other signals/:
Security
The removed feature did not have any security benefits. A
sandboxed iframe that can call document.open on its neighbors
must have “allow-scripts”and “allow-same-origin”capabilities.
This is already a known way to escape sandbox, independently of
document.open. For instance, one can call `eval` on its parent to
escape its sandbox. Chrome and Firefox display the message: "An
iframe which has both allow-scripts and allow-same-origin for its
sandbox attribute can escape its sandboxing."Security
considerations:
https://docs.google.com/document/d/1_89X4cNUab-PZE0iBDTKIftaQZsFbk7SbFmHbqY54os/edit#bookmark=id.7lqerksbaalj
WebView application risks
Does this intent deprecate or change behavior of existing APIs,
such that it has potentially high risk for Android WebView-based
applications?
None
Debuggability
Is this feature fully tested by web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?
Yes
Before the removal: Safari/Firefox PASS. Chrome/Edge FAIL:
https://wpt.fyi/results/html/browsers/sandboxing/sandbox-document-open-mutation.window.html?label=master&label=stable&aligned
<https://wpt.fyi/results/html/browsers/sandboxing/sandbox-document-open-mutation.window.html?label=master&label=stable&aligned>
After the removal. Safari/Firefox/Chrome/Edge: PASS.
<https://wpt.fyi/results/html/browsers/sandboxing/sandbox-document-open-mutation.window.html?label=master&label=stable&aligned>https://wpt.fyi/results/html/browsers/sandboxing/sandbox-document-open-mutation.window.html
Flag name
--enable-blink-features=DocumentOpenSandboxInheritanceRemoval
Requires code in //chrome?
False
Tracking bug
https://crbug.com/1186311
Estimated milestones
Shipping on desktop 116
Shipping on Android 116
Shipping on WebView 116
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5171677800955904
Links to previous Intent discussions
This intent message was generated by Chrome Platform Status
<https://chromestatus.com/>.
--
You received this message because you are subscribed to the
Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAH7Q68Xb-GTak%3DVDx1cak-3%3D77e%2BudHkquttq8au_d3jt59KJw%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAH7Q68Xb-GTak%3DVDx1cak-3%3D77e%2BudHkquttq8au_d3jt59KJw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfUfH6yVMG-yEUZ6LitTY6M7VOQ0rURrWOf5G1rvrGFo3g%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfUfH6yVMG-yEUZ6LitTY6M7VOQ0rURrWOf5G1rvrGFo3g%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/3def26d1-83a1-122e-2a06-77316f1e13d9%40chromium.org
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/3def26d1-83a1-122e-2a06-77316f1e13d9%40chromium.org?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/4e9d3f25-d9b6-efbc-d464-e1476d09ff9d%40gmail.com.
