Intent to Remove: document.open sandbox inheritance
Arthur Sonzogni
Contact emails
arthurs...@chromium.orgExplainer
https://docs.google.com/document/d/1_89X4cNUab-PZE0iBDTKIftaQZsFbk7SbFmHbqY54os/editSpecification
https://html.spec.whatwg.org/#document-open-stepsDesign docs
https://docs.google.com/document/d/1_89X4cNUab-PZE0iBDTKIftaQZsFbk7SbFmHbqY54os/editSummary
Sandbox flags of the caller are currently applied to the callee when document.open targets a different window. Stop doing it.
Blink component
Blink>SecurityFeature>IFrameSandboxMotivation
- It makes it difficult for Chrome's implementation to stay in a consistent state.
- The removed behavior was not specified. Safari and Firefox do not implement it.
- It had no security benefits.
Initial public proposal
NoneSearch tags
sandbox, iframe, document.openTAG review
NoneTAG review status
Not applicableRisks
Interoperability and Compatibility
This should be a trivial removal. Currently, 0.000002% pages are "potentially" affected: https://chromestatus.com/metrics/feature/timeline/popularity/4375 In most cases, a less restrictive sandbox flag is not going to negatively impact the affected pages. So 0.000002% should be seen as an upper bound. This brings Chrome's implementation closer to the specification, and closer to Firefox and SafarI. This has a positive impact on interoperability.
Gecko: N/A This aligns Chrome with Firefox, because Firefox never implemented this behavior.
WebKit: N/A This aligns Chrome with Safari, because Safari never implemented this behavior.
Web developers: No signals
Other signals:
Security
The removed feature did not have any security benefits. A sandboxed iframe that can call document.open on its neighbors must have “allow-scripts” and “allow-same-origin” capabilities. This is already a known way to escape sandbox, independently of document.open. For instance, one can call `eval` on its parent to escape its sandbox. Chrome and Firefox display the message: "An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing." Security considerations: https://docs.google.com/document/d/1_89X4cNUab-PZE0iBDTKIftaQZsFbk7SbFmHbqY54os/edit#bookmark=id.7lqerksbaalj
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
None
Debuggability
Is this feature fully tested by web-platform-tests?
Yeshttps://wpt.fyi/results/html/browsers/sandboxing/sandbox-document-open-mutation.window.html
Flag name
--enable-blink-features=DocumentOpenSandboxInheritanceRemovalRequires code in //chrome?
FalseTracking bug
https://crbug.com/1186311Estimated milestones
| Shipping on desktop | 116 |
| Shipping on Android | 116 |
| Shipping on WebView | 116 |
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5171677800955904Links to previous Intent discussions
Yoav Weiss
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAH7Q68Xb-GTak%3DVDx1cak-3%3D77e%2BudHkquttq8au_d3jt59KJw%40mail.gmail.com.
Mike Taylor
The risk seems quite low here, thanks for the explanation. LGTM2.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfUfH6yVMG-yEUZ6LitTY6M7VOQ0rURrWOf5G1rvrGFo3g%40mail.gmail.com.
Daniel Bratell
LGTM3
/Daniel
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/3def26d1-83a1-122e-2a06-77316f1e13d9%40chromium.org.