25734 2014-05-15 21:16:45 +0000 Treat filesystem: and other (future) local-data-schemes as running script 2014-08-05 09:49:44 +0000 1 1 1 Unclassified WHATWG Fetch unspecified PC All RESOLVED FIXED P2 normal Unsorted 1 jonas annevk annevk ian mike w3c sideshowbarker+fetchspec oldest_to_newest 106097 0 jonas 2014-05-15 21:16:45 +0000 A page inside an <iframe sandbox="allow-same-origin"> should not be allowed to use filesystem: URLs. Allowing reading from filesystem: would effectively allow the page to probe for data in the origin's filesystem storage and then send that information back to the server. For example there have been CSS proposals for things like: background: image(url("..."), url("...")); If you point the first URL to a filesystem URL and the second url back to the home server, that would effectively let the home server know if a particular file exists in the user's filesystem API. This will apply to any other data schemes that we create for loading local data, such as if we ever introduce a indexeddb:// url scheme. So basically, from a sandboxing perspective, we should treat "load from local-data-url-schemes" as "run scripts". 106098 1 jonas 2014-05-15 21:17:38 +0000 Sounded like Adam Barth was ok with this suggestion, though I'll let him speak for himself. 106101 2 ian 2014-05-15 21:54:51 +0000 Anne, this is mostly going to be for you. Do you want me to provide a sandbox flag for this that you can hook into? 106154 3 annevk 2014-05-16 11:23:14 +0000 At what point does this sandboxing apply? Would these URLs just fail to parse or should fetching fail? 106182 4 ian 2014-05-16 17:13:40 +0000 I think fetching. Failing to parse would be very odd... I mean, it would make the utility of the parsing API dependent on sandboxing, which is weird. 106258 5 annevk 2014-05-18 12:29:02 +0000 Is sandboxing part of CSP yet? Because then it could become part of the CSP check Fetch does. 106375 6 ian 2014-05-19 20:00:42 +0000 Sandboxing and CSP interact cloely, but they're not part of each other per se. 106429 7 annevk 2014-05-20 08:50:35 +0000 K, assuming they are distinct, how should this work? http://fetch.spec.whatwg.org/#concept-fetch has a hook for HSTS and soon for CSP (open issue still). Should I add another hook for HTML sandboxing? What do you need passed? 106492 8 ian 2014-05-20 17:08:26 +0000 You would just add this to the algorithm: "...if the Document's active sandboxing flag set does not have the sandboxed something-or-other flag set, then..." Then tell me what "something-or-other" should be, and I'll add an appropriate flag. For example, "sandboxed origin-privileged schemes flag" or whatever. See pointer lock for an example of a spec integrating with this. 106545 9 annevk 2014-05-21 08:45:32 +0000 Fetch currently only has a handle back to a global (request's client). But I guess I can get to a Document from there. "sandboxed local-data scheme flag"? 106607 10 ian 2014-05-21 20:07:08 +0000 data: is "local data" too. As is cached HTTP. 106624 11 annevk 2014-05-22 07:40:04 +0000 Actually, isn't this similar to "sandboxed automatic features browsing context flag" or "sandboxed scripts browsing context flag" combined with an origin check? Is there a reason to have a distinct flag for those two? "sandboxed storage area URLs flag" 106669 12 ian 2014-05-22 18:18:41 +0000 "sandboxed storage area URLs flag" works for me. Having more flags is essentially free from the spec point of view and gives us more flexibility later. I expect implementations to actually just have one bit for all the flags that can't be individually controlled. 106694 13 annevk 2014-05-23 06:56:45 +0000 Okay, sounds good. I'll add placeholder sections to Fetch for these new schemes and implement the desired sandboxing. Where are these new schemes being defined by the way? I've the feeling I might want to give some input to make sure they work nicely with the revamped URL parser. 109903 14 contributor 2014-08-04 23:38:45 +0000 Checked in as WHATWG revision r8706. Check-in comment: Add a sandboxing flag for use by fetch http://html5.org/tools/web-apps-tracker?from=8705&to=8706 109921 15 annevk 2014-08-05 09:49:44 +0000 https://github.com/whatwg/fetch/commit/e6fa8899423652413287c0cf22cd074ffed12905