Primary eng (and PM) emails
jap...@chromium.org (kenji...@chromium.org)
Summary
Content in an <iframe> can generally navigate the top level browsing context unless explicitly forbidden by the sandbox attribute (sometimes called 'framebusting'). Restrict this ability to content that is processing a user gesture, unless it is same-origin to the top.
Motivation
Framebusting was originally used by content that wanted to prevent being placed in an <iframe>. However, there are other, more specific tools to accomplish this (see section below). On the other hand, this framebusting technique is being used by malicious content to forcibly navigate the user.
Compatibility Risk
There isn't a good way to detect framebusting as a defense against being put in an <iframe> if it isn't actually being triggered, so the compatibility risk is somewhat uncertain. For this reason, it seems wise to ship as a Finch trial at first, to gather more definitive data.
Alternative implementation suggestion for web developers
Developers that wish to prevent their content from appearing in an <iframe> should use the CSP frame-ancestors directive or X-Frame-Options.
Usage information from UseCounter
Per UseCounter, an <iframe> navigates its top browsing context on 0.017% of page loads. Per UMA, 2.38% of these navigations are cross-origin without a user gesture. Ergo, this change will affect approximately 4 out of every 1 million page loads. However, note that this rate varies across platforms: for instance, Chrome for Android will see 15 out of every 1 million page loads affected.
OWP launch tracking bug
Entry on the feature dashboard
https://www.chromestatus.com/feature/5851021045661696
Requesting approval to remove too?
Yes, initially as a Finch trial.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
Compatibility Risk
There isn't a good way to detect framebusting as a defense against being put in an <iframe> if it isn't actually being triggered, so the compatibility risk is somewhat uncertain. For this reason, it seems wise to ship as a Finch trial at first, to gather more definitive data.
There's a standard console warning when an illegal navigation is attempted, which will get triggered for this case. Would you prefer a separate warning specific to this case?
Jeffrey
Hi,On Wed, Aug 24, 2016 at 11:41 AM, Nate Chapin <jap...@chromium.org> wrote:There's a standard console warning when an illegal navigation is attempted, which will get triggered for this case. Would you prefer a separate warning specific to this case?It would be better to have a more specific warning, to make it more actionable for developers to fix or provide us feedback on a use-case we didn't anticipate.
Given that framebusting was used as security feature to protect against clickjacking (before superior options like CSP frame-ancestors directive or X-Frame-Options became available), this might make old websites vulnerable to new security exploits. Perhaps that should factor into the compatibility risk calculation here?
On Wed, Aug 24, 2016 at 11:47 AM, Chris Harrelson <chri...@chromium.org> wrote:Hi,On Wed, Aug 24, 2016 at 11:41 AM, Nate Chapin <jap...@chromium.org> wrote:There's a standard console warning when an illegal navigation is attempted, which will get triggered for this case. Would you prefer a separate warning specific to this case?It would be better to have a more specific warning, to make it more actionable for developers to fix or provide us feedback on a use-case we didn't anticipate.Will do. Should the console warning include a link to the launch bug?
Normally we put links to the chromestatus entry instead of the launch bug in console warnings, since that normally has a more succinct description (and links to the bug anyway).
The 4-15 per million number is quite low. If it was just compat (not security) we were talking about here I'd say we should just ship it - doing a partial Finch trial is probably more harm than good at that level.
Can we get someone from the security team (eg. mkwst) to weigh in on the security risk here?
LGTM2 (subject to security approval ofcourse)
Normally we put links to the chromestatus entry instead of the launch bug in console warnings, since that normally has a more succinct description (and links to the bug anyway).
The 4-15 per million number is quite low. If it was just compat (not security) we were talking about here I'd say we should just ship it - doing a partial Finch trial is probably more harm than good at that level.
Can we get someone from the security team (eg. mkwst) to weigh in on the security risk here?
LGTM2 (subject to security approval ofcourse)
-mike
-mike
Hi,I am a web developer from China,but my English is just so so, I try to express my opioions well, haha. As a surfing user, I am happy with the new feature in this draft, for it forbids the unfriendly navigation without my permission. But as a web developer, I may be sad for this new feature, for it means I have to make changes to avoid this limitation. As I know, it is widely used for usage of top.location in cross-domain jumping , once the new version of chrome with this feature released, it may affect many websites.To say the least, I think chrome should provide some facilities for developers to conduct users to access their target. for example, why chrome blocks the navigation and stay in blank page, like the following picture:
I also want to post a question here: why the try-catch have no effect on the top.location once it was blocked by the new feature? As a web developer, I hope that we can have more control with such limitation , on condition that it throws exception and go into the catch block instead of staying in the exception point.
This breaks my oauth workflow and I don't have too many ways around it because of a lack of cooperativeness from the vender.It seems like if we allow the user to implicitly consent to the redirect we should allow the user to explicitly consent via a redirect blocked ui similar to the pop up blocked one.
--