Features/Platform/Iframe Sandbox: Difference between revisions

Jump to navigation Jump to search

Features/Platform/Iframe Sandbox (view source)

Revision as of 17:01, 10 November 2011

777 bytes added ,  10 November 2011
no edit summary
No edit summary
No edit summary
Line 4: Line 4:
|Feature status=In progress
|Feature status=In progress
|Feature health=OK
|Feature health=OK
|Feature status note=currently fleshing out the implementation planning trying to nail down issues/questions there
|Feature status note=working on prototype implementation  
}}
}}
{{FeatureTeam
{{FeatureTeam
Line 19: Line 19:
* The origin (in string form) of a null principal - this will be sent by CORS, the origin header (if/when it's implemented), postMessage etc - the HTML5 spec says that it should be a GUID in this case - need to see what gets used in these cases when content has a null principal
* The origin (in string form) of a null principal - this will be sent by CORS, the origin header (if/when it's implemented), postMessage etc - the HTML5 spec says that it should be a GUID in this case - need to see what gets used in these cases when content has a null principal
* sandboxed IFRAME's should not be able to create popups, even with the 'allow-scripts' modified specified - need to figure out how to implement this block
* sandboxed IFRAME's should not be able to create popups, even with the 'allow-scripts' modified specified - need to figure out how to implement this block
* whether to implement @sandbox on <frame> or not - this is being discussed on the whatwg list - my current proposal is to implement it on <frame>
* whether to implement @sandbox on <xul:iframe> and <xul:frame> - this needs discussion still
|Feature overview=The HTML5 standard specifies a new attribute for the IFRAME element, "sandbox". See also [https://bugzilla.mozilla.org/show_bug.cgi?id=341604 bug 341604] "Implement HTML5 sandbox attribute for IFRAMEs" and [https://bugzilla.mozilla.org/show_bug.cgi?id=671389 bug 671389] "Implement CSP sandbox directive"
|Feature overview=The HTML5 standard specifies a new attribute for the IFRAME element, "sandbox". See also [https://bugzilla.mozilla.org/show_bug.cgi?id=341604 bug 341604] "Implement HTML5 sandbox attribute for IFRAMEs" and [https://bugzilla.mozilla.org/show_bug.cgi?id=671389 bug 671389] "Implement CSP sandbox directive"
|Feature users and use cases=Users are web developers looking for a way to isolate content on their site and preventing it from having its default same origin privileges. The HTML5 spec specifies some modifying attributes that can re-grant permissions such as executing scripts and submitting forms, etc.
|Feature users and use cases=Users are web developers looking for a way to isolate content on their site and preventing it from having its default same origin privileges. The HTML5 spec specifies some modifying attributes that can re-grant permissions such as executing scripts and submitting forms, etc.
|Feature requirements=If at all possible, this feature should be designed and implemented in a way that makes it usable for also implementing the sandboxing required to support the CSP (Content Security Policy) sandbox value also.
|Feature requirements=If at all possible, this feature should be designed and implemented in a way that makes it usable for also implementing the sandboxing required to support the CSP (Content Security Policy) sandbox value also.
|Feature non-goals=Providing sandboxing above and beyond what's described in the HTML5 spec, implementing the IFRAME seamless attribute and interactions between it the sandbox attribute.
|Feature non-goals=* Providing sandboxing above and beyond what's described in the HTML5 spec
* implementing the IFRAME seamless attribute and interactions between it the sandbox attribute.  
* implementing @sandbox on <object> - this was discussed on the whatwg list, currently we don't want to do this, since the meaning of sandbox on <object> is confusing - it would apply in some contexts and not others
|Feature functional spec=An IFRAME with the sandbox attribute (and its various modifying attributes) should behave as outlined in the HTML5 spec. See W3C Working Draft at http://www.w3.org/TR/html5/the-iframe-element.html#the-iframe-element and W3C Editor's Draft at http://dev.w3.org/html5/spec/Overview.html#the-iframe-element. This feature should also be compatible with the CSP sandbox directive (see https://wiki.mozilla.org/Security/CSP/Sandbox)
|Feature functional spec=An IFRAME with the sandbox attribute (and its various modifying attributes) should behave as outlined in the HTML5 spec. See W3C Working Draft at http://www.w3.org/TR/html5/the-iframe-element.html#the-iframe-element and W3C Editor's Draft at http://dev.w3.org/html5/spec/Overview.html#the-iframe-element. This feature should also be compatible with the CSP sandbox directive (see https://wiki.mozilla.org/Security/CSP/Sandbox)
|Feature implementation plan=* The general approach is to give a sandboxed IFRAME a null principal to remove its normal domain/principal. This removes its same origin privileges (unless allow-same-domain is specified as part of the sandbox attribute)
|Feature implementation plan=* The general approach is to give a sandboxed IFRAME a null principal to remove its normal domain/principal. This removes its same origin privileges (unless allow-same-domain is specified as part of the sandbox attribute)
Line 38: Line 43:
** the document needs to keep the exact set of flags assigned at load time (these are immutable - changing sandbox attributes does NOT dynamically affect already loaded content)
** the document needs to keep the exact set of flags assigned at load time (these are immutable - changing sandbox attributes does NOT dynamically affect already loaded content)
** sandbox flags for a document are set based on the sandbox flags of its parent document and the sandbox flags of the embedding frame (stored in the docshell)
** sandbox flags for a document are set based on the sandbox flags of its parent document and the sandbox flags of the embedding frame (stored in the docshell)
* preventing establishing new browser contexts means a sandbox IFRAME should block the showModalDialog() method
* preventing establishing new browser contexts means a sandbox IFRAME should block the showModalDialog() method - does this take care of the need to block popups ?
* sandboxed IFRAME's need to block access (read and write) to document.cookie  
* sandboxed IFRAME's need to block access (read and write) to document.cookie  
and local storage unless the allow-same-domain keyword is specified  
and local storage unless the allow-same-domain keyword is specified  
* sandboxed IFRAME's are also supposed to block access to content automatically doing something, the examples given automatically playing a video or automatically focusing a form control (unless allow-scripts is specified since scripts can do this anyways) - while disabling JS will take care of many of these cases, HTML5 video autoplay will probably need to be handled separately and there could be many other edge cases here as well !
* sandboxed IFRAME's are also supposed to block access to content automatically doing something, the examples given automatically playing a video or automatically focusing a form control (unless allow-scripts is specified since scripts can do this anyways) - while disabling JS will take care of many of these cases, HTML5 video autoplay may need to be handled separately and there could be many other edge cases here as well !
* nsFrameLoader will be modified to assign the null principal to a sandboxed IFRAME (if allow-same-origin is not specified)
* nsFrameLoader will be modified to assign the null principal to a sandboxed IFRAME (if allow-same-origin is not specified)
** this also requires modifying surrounding code to be able to force an owner to be set on the loading channel.  
** this also requires modifying surrounding code to be able to force an owner to be set on the loading channel.  
** SHentry will also need the same 'force owner' flag for when the IFRAME is loaded from session history.  
** SHentry will also need the same 'force owner' flag for when the IFRAME is loaded from session history.  
** we may be able to implement both cases in one place if we do the null principal assignment at a low enough level in the docshell loading code
** The nsFrameLoader will check if its owner content has the sandbox attribute set and is an nsHTMLIFrameElement to determine whether to sandbox the frame being loaded (again, if the allow-same-domain modifier isn't present in the sandbox attribute)
** The nsFrameLoader will check if its owner content has the sandbox attribute set and is an nsHTMLIFrameElement to determine whether to sandbox the frame being loaded (again, if the allow-same-domain modifier isn't present in the sandbox attribute)
* when we support the CSP sandbox directive, similar logic to that in nsFrameLoader will need to be implemented for the loaders for other CSP-protectable resources
* when we support the CSP sandbox directive, similar logic to that in nsFrameLoader will need to be implemented for the loaders for other CSP-protectable resources
Line 50: Line 56:
* the HTML5 spec provides examples of how to apply flags with nested IFRAMEs, abarth has proposed that if both CSP and IFRAME sandbox can apply to content, the algorithm used in these example should be used to merge the policies which sounds reasonable
* the HTML5 spec provides examples of how to apply flags with nested IFRAMEs, abarth has proposed that if both CSP and IFRAME sandbox can apply to content, the algorithm used in these example should be used to merge the policies which sounds reasonable
|Feature security review=This feature will likely need a full security review from the secteam.
|Feature security review=This feature will likely need a full security review from the secteam.
|Feature qa review=We will need a test suite for this feature. Microsoft has released test cases for sandboxing, I'm not sure of their licensing status currently. We will definitely want to compare our implementation to other browsers' implementation for consistency etc. and likely address inconsistencies via suggested modifications to the HTML5 spec.
|Feature qa review=We will need a test suite for this feature. Microsoft has released test cases for sandboxing, I'm not sure of their licensing status currently. We will definitely want to compare our implementation to other browsers' implementation for consistency etc. and likely address inconsistencies via suggested modifications to the HTML5 spec and discussion on the whatwg list.  
|Feature landing criteria=* Needs a test suite
* Needs to be compared against other implementations for consistency
* Needs a full security review
}}
}}
{{FeatureInfo
{{FeatureInfo
Imelven
Confirmed users
197

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/368031"

Navigation menu