Opening Terms of Service and Privacy Policy links in an iframe inside the dialog

See the original discussion on https://groups.google.com/d/topic/mozilla.dev.identity/KWWFBhU0HMY/discussion

Risks

• ToS or PP page frame-busting and replacing the dialog with a visually identical phishing page

Mitigations

• sandbox attribute on the iframe:
  • disables JavaScript, plugins
  • IE10+, Safari, Chrome, Firefox
  • http://www.w3.org/TR/html5/embedded-content-0.html#attr-iframe-sandbox
  • http://caniuse.com/#search=iframe-sandbox
• security="restricted" attribute on the iframe
  • disables JavaScript, plugins
  • IE8+
  • http://msdn.microsoft.com/en-us/library/ms534622%28VS.85%29.aspx
  • http://msdn.microsoft.com/en-us/library/ms537186%28v=vs.85%29.aspx#high
• nothing for Opera?

Background

• Cross-Frame Scripting:
  • https://owasp.org/index.php/Cross_Frame_Scripting
• Cick-jacking and frame busting:
  • https://www.owasp.org/images/0/0e/OWASP_AppSec_Research_2010_Busting_Frame_Busting_by_Rydstedt.pdf
  • http://seclab.stanford.edu/websec/framebusting/framebust.pdf