On Feb 12, 2010, at 11:54 PM, Adam Barth wrote:
On Fri, Feb 12, 2010 at 11:48 PM, Michal Zalewski
<lcam...@coredump.cx> wrote:
Can a frame in @sandbox ever navigation the top-level frame? If
not,
that would make it hard to use @sandbox to contain advertisements,
which want to navigate |top| when the user clicks on the ad.
Ads would want to be able to do that, but user-controlled gadgets
shouldn't. I suppose the top-level page should be able to specify,
and
the entire @sandbox chain would need to be traversed to make the call
(so that @sandbox included on example.com that is prohibited from
messing with the top-level frame can't just create a nested frame
without the restriction, and bypass the check).
I assume that chain-style checking is already a part of the spec, as
we obviously don't want other restrictions to be removed in a similar
manner?
Yes, the sandbox restrictions collect in subframes.
Perhaps we want an "allow-frame-busting" directive? In the
implementation we have an "allow-navigation" bit that covers
navigation |top| as well as window.open, etc. Maybe we want a more
general directive that twiddles this bit?
Some may want to have a directive that allows only opening new windows
and not navigating the top level. This is the policy Caja tries to
enforce by default for instance. For ads I could imagine wanting only
top-level navigation and not window opening. So maybe this should be
two flags.
Reards,
Maciej