Features/Platform/Iframe Sandbox
Status
| Iframe Sandbox | |
| Stage | Draft |
| Status | ` |
| Release target | ` |
| Health | OK |
| Status note | ` |
{{#set:Feature name=Iframe Sandbox
|Feature stage=Draft |Feature status=` |Feature version=` |Feature health=OK |Feature status note=` }}
Team
| Product manager | ` |
| Directly Responsible Individual | ` |
| Lead engineer | Ian Melven |
| Security lead | Curtis Koenig |
| Privacy lead | Sid Stamm |
| Localization lead | ` |
| Accessibility lead | ` |
| QA lead | ` |
| UX lead | ` |
| Product marketing lead | ` |
| Operations lead | ` |
| Additional members | ` |
{{#set:Feature product manager=`
|Feature feature manager=` |Feature lead engineer=Ian Melven |Feature security lead=Curtis Koenig |Feature privacy lead=Sid Stamm |Feature localization lead=` |Feature accessibility lead=` |Feature qa lead=` |Feature ux lead=` |Feature product marketing lead=` |Feature operations lead=` |Feature additional members=` }}
Open issues/risks
`
Stage 1: Definition
1. Feature overview
The HTML5 standard specifies a new attribute for the IFRAME element, "sandbox". See also bug 341604 "Implement HTML5 sandbox attribute for IFRAMEs" and bug 671389 "Implement CSP sandbox directive"
2. Users & use cases
Users are web developers looking for a way to isolate content on our site and preventing it from having its default same origin privileges.
3. Dependencies
`
4. Requirements
If at all possible, this feature should be designed and implemented in a way that makes it usable for also implementing the sandboxing required to support the CSP (Content Security Policy) sandbox value also.
Non-goals
Providing sandboxing above and beyond what's described in the HTML5 spec, implementing the IFRAME seamless attribute and interactions between it the sandbox attribute.
Stage 2: Design
5. Functional specification
An IFRAME with the sandbox attribute (and its various modifying attributes) should behave as outlined in the HTML5 spec. See W3C Working Draft at http://www.w3.org/TR/html5/the-iframe-element.html#the-iframe-element and W3C Editor's Draft at http://dev.w3.org/html5/spec/Overview.html#the-iframe-element. This feature should also be compatibile with the CSP sandbox spec (need a link)
6. User experience design
`
Stage 3: Planning
7. Implementation plan
`
8. Reviews
Security review
This feature will likely need a full security review from the secteam.
Privacy review
`
Localization review
`
Accessibility
`
Quality Assurance review
We will need a test suite for this feature. Microsoft has released test cases for sandboxing, I'm not sure of their licensing status currently. We will want to compare our implementation to other browsers' implementation for consistency etc.
Operations review
`
Stage 4: Development
9. Implementation
`
Stage 5: Release
10. Landing criteria
` {{#set:Feature open issues and risks=` |Feature overview=The HTML5 standard specifies a new attribute for the IFRAME element, "sandbox". See also bug 341604 "Implement HTML5 sandbox attribute for IFRAMEs" and bug 671389 "Implement CSP sandbox directive" |Feature users and use cases=Users are web developers looking for a way to isolate content on our site and preventing it from having its default same origin privileges. |Feature dependencies=` |Feature requirements=If at all possible, this feature should be designed and implemented in a way that makes it usable for also implementing the sandboxing required to support the CSP (Content Security Policy) sandbox value also. |Feature non-goals=Providing sandboxing above and beyond what's described in the HTML5 spec, implementing the IFRAME seamless attribute and interactions between it the sandbox attribute. |Feature functional spec=An IFRAME with the sandbox attribute (and its various modifying attributes) should behave as outlined in the HTML5 spec. See W3C Working Draft at http://www.w3.org/TR/html5/the-iframe-element.html#the-iframe-element and W3C Editor's Draft at http://dev.w3.org/html5/spec/Overview.html#the-iframe-element. This feature should also be compatibile with the CSP sandbox spec (need a link) |Feature ux design=` |Feature implementation plan=` |Feature security review=This feature will likely need a full security review from the secteam. |Feature privacy review=` |Feature localization review=` |Feature accessibility review=` |Feature qa review=We will need a test suite for this feature. Microsoft has released test cases for sandboxing, I'm not sure of their licensing status currently. We will want to compare our implementation to other browsers' implementation for consistency etc. |Feature operations review=` |Feature implementation notes=` |Feature landing criteria=` }}
Feature details
| Priority | Unprioritized |
| Rank | 999 |
| Theme / Goal | Security, Privacy |
| Roadmap | Security |
| Secondary roadmap | ` |
| Feature list | ` |
| Project | ` |
| Engineering team | Security |
{{#set:Feature priority=Unprioritized
|Feature rank=999 |Feature theme=Security, Privacy |Feature roadmap=Security |Feature secondary roadmap=` |Feature list=` |Feature project=` |Feature engineering team=Security }}
Team status notes
| status | notes | |
| Products | ` | ` |
| Engineering | ` | ` |
| Security | ` | ` |
| Privacy | ` | ` |
| Localization | ` | ` |
| Accessibility | ` | ` |
| Quality assurance | ` | ` |
| User experience | ` | ` |
| Product marketing | ` | ` |
| Operations | ` | ` |
{{#set:Feature products status=`
|Feature products notes=` |Feature engineering status=` |Feature engineering notes=` |Feature security status=` |Feature security health=` |Feature security notes=` |Feature privacy status=` |Feature privacy notes=` |Feature localization status=` |Feature localization notes=` |Feature accessibility status=` |Feature accessibility notes=` |Feature qa status=` |Feature qa notes=` |Feature ux status=` |Feature ux notes=` |Feature product marketing status=` |Feature product marketing notes=` |Feature operations status=` |Feature operations notes=` }}