[Webkit-unassigned] [Bug 104141] New: iframe sandbox blocks top navigation when a child iframe is same origin with top, but this is easily bypassed

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Dec 5 11:00:56 PST 2012 

https://bugs.webkit.org/show_bug.cgi?id=104141

           Summary: iframe sandbox blocks top navigation when a child
                    iframe is same origin with top, but this is easily
                    bypassed
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: Frames
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: ian.melven at gmail.com


I brought this up on the WHATWG list : http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2012-November/038149.html

In my testing with Chrome, if you have a sandboxed document with the same
origin as the top level document and the sandboxed document has 'allow-same-origin allow-scripts',
the sandboxed document can NOT navigate the top level document via setting window.top.location 
ie it's blocked. Bobby Holley pointed out that blocking top navigation when the sandboxed document
is same origin with the top level document is difficult, since the sandboxed document
can do window.top.eval('window.location = "http://foo.com"') 

Doing this bypasses the block in Chrome and the top navigation happens. 

In IE 10, at least in the Windows 8 consumer preview which is the latest
version i have at the moment unfortunately, you can set window.top.location from a document that's same origin
with the top level document which is contained in an <iframe sandbox = 'allow-same-origin allow-scripts'> ie it doesn't
need allow-top-navigation.

I asked for some clarification in the WHATWG spec but none has happened to this date.

One option would be for Webkit to also block the window.top.eval loophole, but in general
we feel that trying to stop this when the documents are same origin would possibly be problematic. 
Another option would be to not block top navigation when the sandboxed document is same origin
with the top level document (which implies it's been sandboxed with 'allow-same-origin' of course).

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list