[Webkit-unassigned] [Bug 21288] Implement HTML5's sandbox attribute for iframes

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Nov 24 06:24:07 PST 2009 

https://bugs.webkit.org/show_bug.cgi?id=21288





--- Comment #58 from Patrik Persson <patrik.j.persson at ericsson.com>  2009-11-24 06:24:04 PST ---
(In reply to comment #51)
> I wonder if maybe the default should instead be entirely sandboxed. Is there
> any code path where the default matters? Same applies to FrameLoader. We always
> set the flags later in initialization, so maybe it's OK to fully sandbox during
> initialization. Not an important issue, but this does seem backwards from usual
> security designs to assume everything is allowed.

Defensive programming is definitely a good idea here.  We have
experimented with assigning defensive default values for sandbox flags
in this way.  There are three locations where such a defensive
initialization can be made: HTMLFrameOwnerElement, FrameLoader and
SecurityOrigin.

The FrameLoader modification is straight-forward to make (changing to
'SandboxAll' in the constructor m_sandboxFlags initializer).  The
tests run fine with this change.  We excluded it from the current
patch, but we'll be happy to include it if you want us to.

I'm not sure about the other two modifications, though.  Here's why.


Default SecurityOrigin::m_sandboxFlags = SandboxAll
---------------------------------------------------

This modification fails for documents created without a frame.  The
test case http/tests/security/cookies/create-document.html is a
typical example of something that breaks.

> Is there any problem with the fact that documents that never go into a frame,
> such as ones made with XMLHttpRequest, have no sandbox flags set?

Yes, many (quite possibly all) XMLHttpRequest-based tests seem to fail
with this modification.

My interpretation of the spec (and comment #14) is that sandbox flags
can only end up in a document (specifically, its SecurityOrigin) by
being propagated from the document's frame.  No frame, no sandbox
flags.  I can't see how to assign a default SecurityOrigin flag value
other than SandboxNone based on this.


Default HTMLFrameOwnerElement::m_sandboxFlags = SandboxAll
----------------------------------------------------------

This modification fails for iframes without a sandbox attribute, which
now become sandboxed (of course).

If there is a better place than the constructor to assign a default
value, this modification could make more sense.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list