Not sure if this is the right mailing list but seems appropriate since it relates to Site Isolation. We'd like to prevent ads from doing top.location = "http://myscammyadsite.com" but a lot of our ads are also still using Flash which means we can't just use the sandbox attribute, since that blocks plugins.
Is there any other way of preventing this? I jokingly tried Object.defineProperty(window, 'location', {configurable: false, editable: false}) but that just crashes the Chrome tab immediately after running. That also wouldn't prevent top.location.replace().
Thanks!
James
[+securi...@chromium.org, mkwst@, jschuh@; site-isol...@chromium.org to BCC]Sorry for the late reply. security-dev@ is a better list for this than site-isolation-dev@, since the latter is about our implementation of http://www.chromium.org/developers/design-documents/site-isolation.As you mention, sandboxed iframes can't load plugins. Flash has its own capabilities the browser can't easily restrict, so I don't know of a way to do what you're asking. The other folks CC'd might know more.
I've heard similar requests for a sandbox that allows plugins from my colleagues. One of the big problems with that approach is that origin-sandboxing is one of the most important and valuable features, but the major plugins (java, flash, sliverlight) all have their own, different versions of what the "same origin policy" is, with special exceptions for downloading new code based on IP or object origin, reading off-origin data based on policy files hosted cross-origin, etc. It's an almost impossible task to reconcile those with a uniform SOP in the browser and propagate the guarantees of origin-sandboxing to plugins.
I think a better approach is to have a CSP directive that restricts where a resource may navigate itself. Deian Stefan plans to propose that (and a postMessage restricting directive) for CSP3 in support of the COWL deliverable we've recently adopted in WebAppSec. It's something I'd like to see, as well. http://www.w3.org/2011/webappsec/
-Brad Hill