12393 2011-03-29 07:12:54 +0000 Add "allow-popups" for iframe@sandbox 2012-04-20 05:20:11 +0000 1 1 1 Unclassified HTML WG LC1 HTML5 spec unspecified PC Windows NT CLOSED FIXED http://dev.w3.org/html5/spec/Overview.html#attr-iframe-sandbox WGDecision P2 blocker --- 15837 15236 1 jrossi ian adrianba ian julian.reschke mike public-html-admin public-html-wg-issue-tracking rubys shadow2531 w3c public-html-bugzilla oldest_to_newest 47023 0 jrossi 2011-03-29 07:12:54 +0000 There's currently no way for a sandboxed iframe to generate popups (which for some mashup scenarios, may be valid). We should add an "allow-popups" token for the sandbox attribute. When set, window.open(), showModalDialog() [1], and links with target=”_blank” would be allowed. However, the newly created browsing contexts should inherit the sandbox restrictions of the context from which the popup was created. [1] http://www.w3.org/Bugs/Public/show_bug.cgi?id=12391 47035 1 w3c 2011-03-29 17:15:24 +0000 Makes sense to me. 49529 2 ian 2011-06-13 22:17:10 +0000 target="_blank" works fine, as far as I can tell, even in sandboxed iframes. What's the use case for sandbox content being allowed to script pop-ups? 49533 3 ian 2011-06-13 22:28:38 +0000 (by "works fine", I mean that the UA has the option of letting the user indicate that the link should work normally) 49618 4 ian 2011-06-15 06:16:01 +0000 Without a clear understanding of the use cases, I think we're better off delaying this until this feature is better understood. In particular, the idea of having sandboxing flags on a top-level browsing context is somewhat scary. Marking LATER for now; I'll reopen this when sandbox="" is more widely implemented. 50954 5 jrossi 2011-07-12 23:44:09 +0000 Reopening this as sandbox="" is now more widely implemented (IE10 Platform Preview 2). :-) IE10 PPB2 includes a vendor prefixed implementation of allow-popups. Here's one good use case: A site sandboxes a maps widget. The maps widget offers options to launch a popup for a larger map or for finding directions. By default in both Chrome and IE10, the popups are blocked. Using allow-popups enables the control to work as expected while still sandboxing the widget in the other ways. Demo: http://ie.microsoft.com/testdrive/HTML5/sandbox/Default.html (click Controlling Popups) 53400 6 mike 2011-08-04 05:13:29 +0000 mass-move component to LC1 54870 7 ian 2011-08-13 05:02:40 +0000 IE10 hasn't even shipped, so that really doesn't count as "widely implemented" yet! I meant when it's widely-enough implemented that people are able to rely on it at all. The experience with IE10 will be helpful in informing the specification. It'll be interesting to see how people use the feature. 57730 8 adrianba 2011-10-03 23:09:10 +0000 Created ISSUE-180. http://www.w3.org/html/wg/tracker/issues/180 59538 9 w3c 2011-11-03 00:53:05 +0000 https://bugs.webkit.org/show_bug.cgi?id=66505 59807 10 ian 2011-11-09 23:33:22 +0000 Reopening based on existence of multiple implementations. See also specifically this comment: https://bugs.webkit.org/show_bug.cgi?id=66505#c1 59809 11 w3c 2011-11-09 23:50:08 +0000 Another subtly is whether the sandbox flags get applied to the main frame of the popup or to the document (i.e., whether subsequent documents that inhabit the frame are sandboxed). WebKit applies the sandbox bits to the frame so that future documents in that frame also are sandboxed. If the user navigates via the browser's location bar, the bits a cleared because the new document is loaded into a "new" frame. 59811 12 jrossi 2011-11-10 01:22:18 +0000 (In reply to comment #11) > Another subtly is whether the sandbox flags get applied to the main frame of > the popup or to the document (i.e., whether subsequent documents that inhabit > the frame are sandboxed). WebKit applies the sandbox bits to the frame so that > future documents in that frame also are sandboxed. > > If the user navigates via the browser's location bar, the bits a cleared > because the new document is loaded into a "new" frame. IE10 follows a similar design. Navigations from within the page with CSP (clicking a link, window.location=foo, window.open(foo,"_self"), etc.) persist the restrictions. However, if the user navigates with the address bar then the sandbox bits are cleared. Child frames within a document with a CSP sandbox header also inherit those restrictions (in the same way a child frame of a sandboxed iframe inherit sandbox flags per HTML5). 59812 13 w3c 2011-11-10 01:46:31 +0000 That's slightly different from the discussion in public-web-security about CSP. IMHO, we should tackle the CSP issues separately. 59813 14 jrossi 2011-11-10 01:49:47 +0000 (In reply to comment #13) > That's slightly different from the discussion in public-web-security about CSP. > IMHO, we should tackle the CSP issues separately. Ack. I was still thinking about CSP when I wrote this--didn't mean to mix. My comment also applies to popups created from a sandboxed frame: The popup inherits the same restrictions. Navigations from within the page continue to have the sandbox restrictions. User navigations from the address bar clear the restrictions. Child frames within the popups also inherit the sandbox restrictions (same way as child frames in the sandbox iframe). 59842 15 rubys 2011-11-10 19:22:11 +0000 At the present time, we have a single change proposal: http://www.w3.org/html/wg/wiki/ChangeProposals/sandbox_allow_popups This change proposal is not to be applied until and unless we determine that there is consensus on this proposal. If anyone in the working group disagrees with that proposal, we request that they submit an Alternate or Counter Proposal by December 10, 2011: http://lists.w3.org/Archives/Public/public-html/2011Nov/0077.html 63099 16 rubys 2012-01-25 15:04:02 +0000 WG Decision: http://lists.w3.org/Archives/Public/public-html/2012Jan/0130.html Change Proposal: http://www.w3.org/html/wg/wiki/ChangeProposals/sandbox_allow_popups 63489 17 ian 2012-02-01 00:19:14 +0000 *** Bug 15236 has been marked as a duplicate of this bug. *** 66757 18 ian 2012-04-17 05:04:54 +0000 Done (with some minor tweaks — one based on discussions with Adrian on IM, to still allow UAs to have UI that overrides sandboxing; some minor tweaks to how the speccing works to work in the framework we have post-CSP refactoring; and a tweak to handle one place that the CP forgot to fix, namely the navigation algorithm). 66884 19 rubys 2012-04-20 03:24:34 +0000 http://html5.org/tools/web-apps-tracker?from=7053&to=7054