<html>

    <head>

      <base href="https://bugs.webkit.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Add flags allow-popups-to-escape-sandbox and allow-modals to iframe sandbox"

   href="https://bugs.webkit.org/show_bug.cgi?id=158875">158875</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Add flags allow-popups-to-escape-sandbox and allow-modals to iframe sandbox

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>WebKit

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>WebKit Nightly Build

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>Critical

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P2

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>Layout and Rendering

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>webkit-unassigned&#64;lists.webkit.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>lubin2010&#64;gmail.com

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>simon.fraser&#64;apple.com

          </td>

        </tr></table>

      <p>

        <div>

        <pre>There have been some improvements proposed to iframe sandbox:

<a href="https://wiki.whatwg.org/wiki/Iframe_sandbox_improvments">https://wiki.whatwg.org/wiki/Iframe_sandbox_improvments</a>

<a href="https://html.spec.whatwg.org/multipage/browsers.html#attr-iframe-sandbox-allow-popups-to-escape-sandbox">https://html.spec.whatwg.org/multipage/browsers.html#attr-iframe-sandbox-allow-popups-to-escape-sandbox</a>

<a href="https://html.spec.whatwg.org/multipage/browsers.html#attr-iframe-sandbox-allow-modals">https://html.spec.whatwg.org/multipage/browsers.html#attr-iframe-sandbox-allow-modals</a>

The reasoning behind these improvements is to make iframe sandbox usable for framed unsafe content (e.g., advertisements) and to disallow modal dialogs by default in sandboxed iframe:

allow-popups-to-escape-sandbox: With this flag, if a user interacts with an ad and clicks on it, it should be able to open up the ads landing page as a top level page in a new tab without being sandboxed.

allow-modals: The content inside sandboxed iframe should not be able to open modal dialogs unless this flag is specified.

Both Chrome and Firefox are supporting the new attributes now:

<a href="https://googlechrome.github.io/samples/allow-popups-to-escape-sandbox/index.html">https://googlechrome.github.io/samples/allow-popups-to-escape-sandbox/index.html</a>

<a href="https://googlechrome.github.io/samples/block-modal-dialogs-sandboxed-iframe/">https://googlechrome.github.io/samples/block-modal-dialogs-sandboxed-iframe/</a>

<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1190641">https://bugzilla.mozilla.org/show_bug.cgi?id=1190641</a></pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>