This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
# Spec Just mailing list conversation at https://lists.w3.org/Archives/Public/public-whatwg-archive/2015May/0035.html # Summary This is a new flag for `<iframe sandbox="...">` which will allow a sandboxed document to spawn new windows without forcing the sandboxing flags upon them. This will allow, for example, a third-party advertisement to be safely sandboxed without forcing the same restrictions upon a landing page. # Motivation Folks in Google's anti-malvertising team would like to begin sandboxing the iframes in which ads are embedded. In some cases, this can be truly restrictive, in others they'd enable basically everything except `allow-top-navigation`. Their experiments thus far have been blocked on sandboxing's inheritance structure: there's no way to open an unsandboxed window from inside a sandbox, which means that a sandboxed advertisement leads to a sandboxed landing page, and so on. Sites like CodePen have similar desires (as noted at the bottom of https://lists.w3.org/Archives/Public/public-whatwg-archive/2014Feb/0057.html): limit the impact of unknown content by sandboxing it, but allow it to spawn unsandboxed browsing contexts for navigation. This seems like a reasonable thing to allow an embedder to opt-out of, and adding a new flag to enable otherwise limited functionality is consistent with the rest of `sandbox`. # Link to entry on the Chromium Dashboard https://www.chromestatus.com/features/5708368589094912
Changed the name of the flag after discussion with Boris, et al. CCing Boris and Dan in the hopes that they'll say they're already working on implementing the feature. ;)
Moved to https://github.com/whatwg/html/pull/14 mkwst, of course feel free to reopen this if you want to also keep tracking it here for some reason.