[webkit-dev] Request for position: block navigation toward external protocol from sandboxed iframe.

Arthur Sonzogni arthursonzogni at chromium.org
Mon Sep 27 08:22:14 PDT 2021

Hi webkit-dev,
This is a request for Webkit's position about blocking navigation toward
external protocols from sandboxed iframe.

Gates sandboxed iframe navigation toward external protocol behind any of:

   - allow-popups
   - allow-top-navigation
   - allow-top-navigation-with-user-gesture (+ user gesture)

Developers are surprised that a sandboxed iframe can navigate and/or
redirect the user toward an external application.
General iframe navigation in sandboxed iframe are not blocked normally,
because they stay within the iframe. However they can be seen as a popup or
a top-level navigation when it leads to opening an external application. In
this case, it makes sense to extend the scope of sandbox flags, to block



*Mozilla position*https://github.com/mozilla/standards-positions/issues/581

I would love to hear your feedback.

Arthur @arthursonzogni
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20210927/740689e6/attachment.htm>

More information about the webkit-dev mailing list