Confirmed users
197
edits
Features/Platform/Iframe Sandbox: Difference between revisions
Features/Platform/Iframe Sandbox (view source)
Revision as of 19:31, 10 November 2011
, 10 November 2011no edit summary
No edit summary |
No edit summary |
||
| Line 4: | Line 4: | ||
|Feature status=In progress | |Feature status=In progress | ||
|Feature health=OK | |Feature health=OK | ||
|Feature status note=working on prototype implementation | |Feature status note=working on prototype implementation | ||
}} | }} | ||
{{FeatureTeam | {{FeatureTeam | ||
| Line 20: | Line 20: | ||
* sandboxed IFRAME's should not be able to create popups, even with the 'allow-scripts' modified specified - need to figure out how to implement this block | * sandboxed IFRAME's should not be able to create popups, even with the 'allow-scripts' modified specified - need to figure out how to implement this block | ||
* whether to implement @sandbox on <frame> or not - this is being discussed on the whatwg list - my current proposal is to implement it on <frame> | * whether to implement @sandbox on <frame> or not - this is being discussed on the whatwg list - my current proposal is to implement it on <frame> | ||
* whether to implement @sandbox on <xul:iframe | * whether to implement @sandbox on <xul:iframe/browser/editor> - this needs discussion still | ||
|Feature overview=The HTML5 standard specifies a new attribute for the IFRAME element, "sandbox". See also [https://bugzilla.mozilla.org/show_bug.cgi?id=341604 bug 341604] "Implement HTML5 sandbox attribute for IFRAMEs" and [https://bugzilla.mozilla.org/show_bug.cgi?id=671389 bug 671389] "Implement CSP sandbox directive" | |Feature overview=The HTML5 standard specifies a new attribute for the IFRAME element, "sandbox". See also [https://bugzilla.mozilla.org/show_bug.cgi?id=341604 bug 341604] "Implement HTML5 sandbox attribute for IFRAMEs" and [https://bugzilla.mozilla.org/show_bug.cgi?id=671389 bug 671389] "Implement CSP sandbox directive" | ||
|Feature users and use cases=Users are web developers looking for a way to isolate content on their site and preventing it from having its default same origin privileges. The HTML5 spec specifies some modifying attributes that can re-grant permissions such as executing scripts and submitting forms, etc. | |Feature users and use cases=Users are web developers looking for a way to isolate content on their site and preventing it from having its default same origin privileges. The HTML5 spec specifies some modifying attributes that can re-grant permissions such as executing scripts and submitting forms, etc. | ||
| Line 56: | Line 55: | ||
* the HTML5 spec provides examples of how to apply flags with nested IFRAMEs, abarth has proposed that if both CSP and IFRAME sandbox can apply to content, the algorithm used in these example should be used to merge the policies which sounds reasonable | * the HTML5 spec provides examples of how to apply flags with nested IFRAMEs, abarth has proposed that if both CSP and IFRAME sandbox can apply to content, the algorithm used in these example should be used to merge the policies which sounds reasonable | ||
|Feature security review=This feature will likely need a full security review from the secteam. | |Feature security review=This feature will likely need a full security review from the secteam. | ||
|Feature qa review=We will need a test suite for this feature. Microsoft has released test cases for sandboxing, I'm not sure of their licensing status currently. We will definitely want to compare our implementation to other browsers' implementation for consistency etc. and likely address inconsistencies via suggested modifications to the HTML5 spec and discussion on the whatwg list. | |Feature qa review=We will need a test suite for this feature. Microsoft has released test cases for sandboxing, I'm not sure of their licensing status currently. We will definitely want to compare our implementation to other browsers' implementation for consistency etc. and likely address inconsistencies via suggested modifications to the HTML5 spec and discussion on the whatwg list. | ||
|Feature landing criteria=* Needs a test suite | |Feature landing criteria=* Needs a test suite | ||
* Needs to be compared against other implementations for consistency | * Needs to be compared against other implementations for consistency | ||
* Needs a full security review | * Needs a full security review | ||
}} | }} | ||
{{FeatureInfo | {{FeatureInfo | ||