[Webkit-unassigned] [Bug 90613] Inside a sandboxed iframe, it should be possible to create another iframe and access it
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Jul 10 02:47:31 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=90613
--- Comment #6 from Bruno Michel <bruno.michel at af83.com> 2012-07-10 02:47:31 PST ---
(In reply to comment #3)
> I don't know how to make this safe. We don't want to allow the sandboxed page to create an iframe that contains the parent page and then be able to manipulate it, for example. That would defeat the whole purpose of sandboxing the page.
Maybe it's just a stupid idea, but if the sandboxed page create an iframe by using the srcdoc attribute, we could allow the sandboxed page to manipulate the iframe.
> You can use postMessage() to communicate between the iframes.
Well, it's precisely what I was trying to avoid. Let me explain my case: we are writing an ebook reader and the ebooks can contain javascripts (useful ones for the reading of the ebook, but also unsafe ones). The ebooks are HTML files that we load in iframes and we manipulate some CSS rules on the iframe to go from one page to another (overflow: hidden, top position, etc.).
If we put the sandbox flag on these iframes, we can no longer go from one page to another. A possibility is to inject javascripts in this iframe to communicate with postMessage(). But we don't control the content of the iframe and it's very difficult to have a reliable javascript in this context.
Another reason (maybe a bad one) is that the reader use a library (Monocle) for moving between the pages and using postMessage() will transform some direct code to asynchronous code and it's hard to modify afterwards an existing lib in a such a way.
So, I tried to add an indirection: we put only the content in the iframe and it's our reader that we sandbox. And, as our reader as to communicate with our API (to add annotations for example), it uses postMessage() with the parent page that makes the Ajax calls (after some filters).
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list