29100 2015-08-29 10:45:53 +0000 Current iframe sandbox does not prevent download from sandboxed child frame 2016-04-28 16:12:16 +0000 1 1 1 Unclassified HTML WG CR HTML5 spec unspecified PC All RESOLVED MOVED P2 major --- 1 s.h.h.n.j.k robin lwatson public-html-admin public-html-bugzilla oldest_to_newest 122894 0 1622 s.h.h.n.j.k 2015-08-29 10:45:53 +0000 Created attachment 1622 Please let me know if it does not work Hi, Current iframe sandbox does not prevent download from sandboxed child frame. This allows malicious ads to force download malicious files which users might think that it is served from trusted parent domain. 122915 1 s.h.h.n.j.k 2015-08-31 09:38:28 +0000 Is there anyone looking into this? 126273 2 lwatson 2016-04-28 16:12:16 +0000 Moved to HTML on Github: https://github.com/w3c/html/issues/301 1622 2015-08-29 10:45:53 +0000 2015-08-29 10:45:53 +0000 Please let me know if it does not work iframe.html text/html 535 s.h.h.n.j.k 77u/PCFET0NUWVBFIGh0bWwgUFVCTElDICItLy9XM0MvL0RURCBYSFRNTCAxLjAgVHJhbnNpdGlv bmFsLy9FTiIgImh0dHA6Ly93d3cudzMub3JnL1RSL3hodG1sMS9EVEQveGh0bWwxLXRyYW5zaXRp b25hbC5kdGQiPg0KPGh0bWwgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiPg0K PGhlYWQ+DQo8L2hlYWQ+DQo8Ym9keT4NCjxpZnJhbWUgc2FuZGJveCBzcmM9Imh0dHBzOi8vd3d3 Lmdvb2dsZS5jb20vcz9zY2xpZW50PXBzeS1hYiZzaXRlPSZzb3VyY2U9aHAmcT10ZXN0Jm9xPSZn c19sPSZwYng9MSZiYXY9b24uMixvci5yX2NwLiZidm09YnYuMTAxNTI1MTg4LGQuZDI0JmZwPWI5 ZDcyMWE2ZGU1NDllNjkmYml3PTEzNjYmYmloPTE1MCZkcHI9MSZwZj1wJmdzX3JuPTY0JmdzX3Jp PXBzeS1hYiZ0b2s9c1hJZ2s4TkRhU3gtYW1oWEdEeERYZyZjcD00JmdzX2lkPWRqJnhocj10JnRj aD0xJmVjaD01JnBzaT1pNHZoVmE2ZE44ZmRVY2ItcnZBUC4xNDQwODQ0Njg0MTA2LjEiPjwvaWZy YW1lPg0KPC9ib2R5Pg0KPC9odG1sPg==