On Tue, Dec 2, 2014 at 6:04 PM, Boris Zbarsky <bzbar...@mit.edu> wrote: > Actually, sandboxing iframes of your own site is one of the main sandbox use > cases: it allows limited user upload of content without creating security > holes, in theory.
No it is not, only if you use it in combination with srcdoc you are safe. Otherwise an attacker could trick the user to navigate directly to the file and steal cookies or origin-bound data. (The solution here is to finally fix the clipboard stuff. I believe both Gecko and Chrome have similar plans to address this case judging from their mailing lists. It would be good if those discussions moved into a spec space.) -- https://annevankesteren.nl/