Intent to Implement and Ship: 'allow-presentation' sandboxing flag
197 views
Skip to first unread message
Mounir Lamouri
May 19, 2016, 7:03:46 AM5/19/16
to blin...@chromium.org
Contact emails
Spec
Summary
This is a new flag for `<iframe sandbox="...">` which will
allow embedders to have control over whether an iframe can start a presentation session.
Motivation
We were looking for a way a website could prevent an iframe from starting a presentation given that it can be confusing to the user where the presentation request comes from and this could be abused by some untrusted/malicious iframes. Chrome Security suggested to use this solution instead of disabling the feature by default on iframes which would be an issue for embedded content that would require new flags.
Compatibility Risk
Mozilla did support the change.
There is a theoretical compatibility risk if a website is currently sandboxing an iframe that tries to use the Presentation API but we believe this is unlikely enough to take the risk.
Technical constraints
None
Supported platforms
All platforms. Note that WebView disables Presentation API but the feature would work on WebView if they were to enable the API.
Tracking bug
Dashboard entry
Requesting approval to ship?
Yes
Cheers,
-- Mounir
Chris Harrelson
May 19, 2016, 11:21:43 AM5/19/16
to Mounir Lamouri, blin...@chromium.org
LGTM1
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
Rick Byers
May 19, 2016, 12:21:13 PM5/19/16
to Chris Harrelson, Mounir Lamouri, blink-dev, Mike West, Raymes Khoury
LGTM2.
We should probably get some guidance written up about when to rely on permission delegation vs. iframe sandbox flags. It sounds like the argument here is that permission delegation would be too breaking in this case (relative to the benefit) and so we should tackle only the reduced case of sandboxed frames, right? If we decide at some point in the future that the benefit does outweigh the compat cost, could we reasonably switch this scenario to the permission delegation model and (eventually) ignore the "allow-presentation" flag? Or would we then require sandboxed iframes to use both?
Mike: I assume you were involved in this discussion already? Let us know if you have any concerns.
Rick
Mounir Lamouri
May 19, 2016, 12:24:00 PM5/19/16
to Rick Byers, Chris Harrelson, blink-dev, Mike West, Raymes Khoury, fe...@chromium.org
On Thu, 19 May 2016, at 17:20, Rick Byers wrote:
> LGTM2.
>
> We should probably get some guidance written up about when to rely on
> permission delegation vs. iframe sandbox flags. It sounds like the
> argument here is that permission delegation would be too breaking in this
> case (relative to the benefit) and so we should tackle only the reduced
> case of sandboxed frames, right? If we decide at some point in the
> future
> that the benefit does outweigh the compat cost, could we reasonably
> switch
> this scenario to the permission delegation model and (eventually) ignore
> the "allow-presentation" flag? Or would we then require sandboxed
> iframes
> to use both?
>
> Mike: I assume you were involved in this discussion already? Let us know
> if you have any concerns.
FWIW, Adrienne was involved in the discussions.
> LGTM2.
>
> We should probably get some guidance written up about when to rely on
> permission delegation vs. iframe sandbox flags. It sounds like the
> argument here is that permission delegation would be too breaking in this
> case (relative to the benefit) and so we should tackle only the reduced
> case of sandboxed frames, right? If we decide at some point in the
> future
> that the benefit does outweigh the compat cost, could we reasonably
> switch
> this scenario to the permission delegation model and (eventually) ignore
> the "allow-presentation" flag? Or would we then require sandboxed
> iframes
> to use both?
>
> Mike: I assume you were involved in this discussion already? Let us know
> if you have any concerns.
-- Mounir
Adrienne Porter Felt
May 19, 2016, 12:28:49 PM5/19/16
to Mounir Lamouri, Rick Byers, Chris Harrelson, blink-dev, Mike West, Raymes Khoury
I personally would prefer to have everything be done with permission delegation, but I also don't want to hold back new features for too long on something that is not ready to ship yet.
Domenic Denicola
May 19, 2016, 1:50:22 PM5/19/16
to Rick Byers, Chris Harrelson, Mounir Lamouri, blink-dev, Mike West, Raymes Khoury
From: Rick Byers [mailto:rby...@chromium.org]
> We should probably get some guidance written up about when to rely on permission delegation vs. iframe sandbox flags.
I had a related question yesterday at https://github.com/noncombatant/permission-delegation-api/issues/21 and it was explained to me that sandboxing is separate from delegation. Sandboxing is about whether a feature exists at all inside an inframe, whereas permission delegation is about---when the feature exists---whether the iframe gets to automatically inherit the permissions granted by its creator.
> We should probably get some guidance written up about when to rely on permission delegation vs. iframe sandbox flags.
Mike West
May 19, 2016, 2:02:31 PM5/19/16
to Adrienne Porter Felt, Mounir Lamouri, Rick Byers, Chris Harrelson, blink-dev, Raymes Khoury, Ilya Grigorik
I agree with Adrienne; longer term, some combination of delegation and feature policy (+Ilya) are probably the right way to govern permissions in nested frames in a granular way. Short term, adding a flag to the sandbox attribute is totally reasonable.
Rick, to your question: once we've successfully shipped delegation, I think we'd require the permission to be delegated to the sandboxed frame, and for the flag to be present. Is that the way you're thinking about this, Mounir?
As an aside, Mounir, will you work with the relevant folks to get this new flag added to the HTML specification?
-mike
-mike
Mounir Lamouri
May 20, 2016, 8:14:39 AM5/20/16
to Mike West, Adrienne Porter Felt, Rick Byers, Chris Harrelson, blink-dev, Raymes Khoury, Ilya Grigorik
On Thu, 19 May 2016, at 19:02, Mike West wrote:
> I agree with Adrienne; longer term, some combination of delegation and
> feature policy (+Ilya) are probably the right way to govern permissions
> in
> nested frames in a granular way. Short term, adding a flag to the sandbox
> attribute is totally reasonable.
>
> Rick, to your question: once we've successfully shipped delegation, I
> think
> we'd require the permission to be delegated to the sandboxed frame, and
> for
> the flag to be present. Is that the way you're thinking about this,
> Mounir?
>
> As an aside, Mounir, will you work with the relevant folks to get this
> new
> flag added to the HTML specification?
I've open an issue for this:
> I agree with Adrienne; longer term, some combination of delegation and
> feature policy (+Ilya) are probably the right way to govern permissions
> in
> nested frames in a granular way. Short term, adding a flag to the sandbox
> attribute is totally reasonable.
>
> Rick, to your question: once we've successfully shipped delegation, I
> think
> we'd require the permission to be delegated to the sandboxed frame, and
> for
> the flag to be present. Is that the way you're thinking about this,
> Mounir?
>
> As an aside, Mounir, will you work with the relevant folks to get this
> new
> flag added to the HTML specification?
Mounir Lamouri
May 20, 2016, 8:14:59 AM5/20/16
to Mike West, Adrienne Porter Felt, Rick Byers, Chris Harrelson, blink-dev, Raymes Khoury, Ilya Grigorik
Yoav Weiss
May 23, 2016, 1:58:22 AM5/23/16
to Mounir Lamouri, Mike West, Adrienne Porter Felt, Rick Byers, Chris Harrelson, blink-dev, Raymes Khoury, Ilya Grigorik
From reading the intent, it's not clear to me if the flag is an opt-in (i.e. Frames cannot go to presentation mode if the flag is included) or opt-out (Presentation mode is forbidden by default with sandbox, unless it's allowed). Which one is it?
PhistucK
May 23, 2016, 3:57:03 AM5/23/16
to Yoav Weiss, Mounir Lamouri, Mike West, Adrienne Porter Felt, Rick Byers, Chris Harrelson, blink-dev, Raymes Khoury, Ilya Grigorik
Same as any other sandboxed feature - opt out (by your definition).
(Though I would argue that it is opt in, since sandbox is an opt out and its tokens are opt in again ;))
☆PhistucK
On Mon, May 23, 2016 at 8:58 AM, Yoav Weiss <yo...@yoav.ws> wrote:
From reading the intent, it's not clear to me if the flag is an opt-in (i.e. Frames cannot go to presentation mode if the flag is included) or opt-out (Presentation mode is forbidden by default with sandbox, unless it's allowed). Which one is it?
--
Dimitri Glazkov
May 23, 2016, 5:43:25 PM5/23/16
to Mounir Lamouri, blink-dev
LGTM3.
Reply all
Reply to author
Forward
0 new messages