[re-adding chromium-extensions at Henry's request]
I definitely understand your perspective, but the problem is that the
popup window itself needs to be sandboxed (just like iframes inside
the sandboxed iframe need to be sandboxed). If the popup wasn't
sandboxed, then the iframe could escape the sandbox by creating
popups.
As a consequence of being sandboxed, the popup has a unique origin,
regardless of whether it's showing about:blank or some other URL. A
"unique" origin, by nature, is different from every other origin
(that's what makes it unique). That's why you can't script it from
the original iframe: the two are in different unique origins.
Now, we could have made a special exception for about:blank popup
because about:blank documents normally inherit their origin from their
creator. There was a discussion about this in the standards working
group, and folks felt it was better to have a consistent sandboxing
policy rather than have special exceptions for corner cases. That
strengthens the security of the sandbox at the cost of some
functionality.
It's possible we should revisit this question, but we'd want to do
that together with the working group so all the browsers end up
working the same way.
Adam
On Fri, Feb 15, 2013 at 10:42 AM, Henry Feild <
haf...@gmail.com> wrote:
> Thanks, Adam. Could you elaborate on the circumstances in which an opened
> about:blank window could break out of the sandbox?
>
> The behavior I'd expect is that the opened window pointing to about:blank
> should share the same unique origin as the caller, and so would simply be an
> extension of the sandbox with no additional privileges. If the about:blank
> popup is then directed to another page (programmaticly or via user action),
> then the win object back in the sandbox would loose it's properties -- just
> like when you create a popup from a regular old web page. I see
> about:blank as the single edge case where a window opened from within a
> sandbox would not be given a new unique origin signature (I'm assuming
> that's the underlying implementation of sandboxing).
>
> I understand that the sandbox shouldn't be able to access windows that load
> content from elsewhere, including pages that would normally be same-origin,
> such as those packaged with my extension -- that's why it's a sandbox, after
> all. But as long as about:blank window are treated the same as the original
> sandbox window, I don't see the security risk. Is this a fair point? Or am
> I off my rocker? :)
>
> -Hank