Opened at 2012-08-27T18:27:07Z
Last modified at 2013-09-14T17:40:44Z
#1797 new defect
WUI: view content in an HTML5 sandboxed iframe
Reported by: | davidsarah | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | soon |
Component: | code-frontend-web | Version: | 1.9.2 |
Keywords: | wui security usability javascript sandbox same-origin websec | Cc: | freddyb |
Launchpad Bug: |
Description (last modified by zooko)
Sandboxed iframes support loading content in a separate unique origin (when the allow-same-origin is not set). This solves many (not all) of the problems described in #615, for browsers that support it: Chrome, IE10+, and soon Firefox 17+.
Note that if we sandbox by default, that will affect the ability to save the raw version of files with in-browser-viewable MIME types served from Tahoe (because it will also save the framing page). To mitigate that we also need #827.
Change History (8)
comment:1 Changed at 2012-08-27T19:02:35Z by davidsarah
comment:2 follow-up: ↓ 3 Changed at 2012-08-28T18:40:51Z by davidsarah
Grr, Chrome lost my comment. Will try to reconstruct:
Which permissions can we allow on an iframe sandbox attribute?
allow-same-origin:
- No, that would defeat the purpose of sandboxing for us.
allow-top-navigation: allow-popups:
- No, the navigated frame or popup would be outside the sandbox. The sandbox mechanism does not prevent an attacker from navigating directly to the unsandboxed content from their own site, but we want to prevent this from happening accidentally.
allow-scripts:
ProbablyPossibly OK. We don't care if the sandboxed content can run scripts as long as they're in a unique origin. OTOH, this does potentially increase the attack surface for browser bugs.
allow-forms:
- Probably OK, but it's not clear to me what security property this is enforcing at all (since forms can in any case be submitted cross-origin).
comment:3 in reply to: ↑ 2 Changed at 2012-08-28T18:42:39Z by davidsarah
Replying to davidsarah:
allow-top-navigation: allow-popups:
- No, the navigated frame or popup would be outside the sandbox. The sandbox mechanism does not prevent an attacker from navigating directly to the unsandboxed content from their own site, but we want to prevent this from happening accidentally.
Also, in the table here, we want a column that does not contain "master" or "top" in any row, so the iframe's "seamless" attribute also must not be set.
comment:4 Changed at 2012-11-22T01:28:28Z by davidsarah
Implementing this via Content Security Policy rather than an iframe is much easier.
comment:5 Changed at 2013-04-15T11:04:57Z by freddyb
Currently, it's very hard (and according to https://bugzilla.mozilla.org/show_bug.cgi?id=859454#c11 nearly impossible) to restrict a document to its frame and allowing scripts at the same time with iframe sandbox.
Once scripting is allowed, the document may use certain hacks to break out of the sandbox by unframing itself, thus being rendered in a shared origin (again).
Did you look at the paper "Privilege Separation in HTML5 Applications"(usenix security 2012)? Worth a read in this context: https://www.usenix.org/conference/usenixsecurity12/privilege-separation-html5-applications
comment:6 Changed at 2013-04-16T03:35:41Z by daira
https://bugzilla.mozilla.org/show_bug.cgi?id=785310 is just a bug in Mozilla's implementation. There's no spec ambiguity there; the spec does what we want.
comment:7 Changed at 2013-04-16T03:38:36Z by daira
In other words, this is consistent with what I said about allow-scripts increasing attack surface for browser bugs ;-)
comment:8 Changed at 2013-09-14T17:40:44Z by zooko
- Description modified (diff)
- Keywords websec added
Note that HTML5 sandbox does not in any way require JS. Nor does it stop single-page JS webapps served from Tahoe from working, if allow-scripts is set in the sandbox tag. Multi-page JS webapps can also work if they do not rely on same-origin information sharing, although we might need to handle .css and .js filetypes differently because the browser will be expecting them to be served raw, not framed.