[webkit-dev] Request for position: block navigation toward external protocol from sandboxed iframe.
Arthur Sonzogni
arthursonzogni at chromium.org
Mon Sep 27 08:22:14 PDT 2021
Hi webkit-dev,
This is a request for Webkit's position about blocking navigation toward
external protocols from sandboxed iframe.
*Summary:*
Gates sandboxed iframe navigation toward external protocol behind any of:
- allow-popups
- allow-top-navigation
- allow-top-navigation-with-user-gesture (+ user gesture)
*Motivation:*
Developers are surprised that a sandboxed iframe can navigate and/or
redirect the user toward an external application.
General iframe navigation in sandboxed iframe are not blocked normally,
because they stay within the iframe. However they can be seen as a popup or
a top-level navigation when it leads to opening an external application. In
this case, it makes sense to extend the scope of sandbox flags, to block
malvertising.
*Issue:*https://github.com/whatwg/html/issues/2191
*Specification:*https://github.com/whatwg/html/pull/7124
*Mozilla position*https://github.com/mozilla/standards-positions/issues/581
I would love to hear your feedback.
Arthur @arthursonzogni
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20210927/740689e6/attachment.htm>
More information about the webkit-dev
mailing list