Contact [email protected] Explainer https://docs.google.com/document/d/1_89X4cNUab-PZE0iBDTKIftaQZsFbk7SbFmHbqY54os/edit
Specificationhttps://html.spec.whatwg.org/#document-open-steps Design docs https://docs.google.com/document/d/1_89X4cNUab-PZE0iBDTKIftaQZsFbk7SbFmHbqY54os/edit Summary Sandbox flags of the caller are currently applied to the callee when document.open targets a different window. Stop doing it. Blink componentBlink>SecurityFeature>IFrameSandbox <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3EIFrameSandbox> Motivation - It makes it difficult for Chrome's implementation to stay in a consistent state. - The removed behavior was not specified. Safari and Firefox do not implement it. - It had no security benefits. Initial public proposalNone Search tagssandbox <https://chromestatus.com/features#tags:sandbox>, iframe <https://chromestatus.com/features#tags:iframe>, document.open <https://chromestatus.com/features#tags:document.open> TAG reviewNone TAG review statusNot applicable Risks Interoperability and Compatibility This should be a trivial removal. Currently, 0.000002% pages are "potentially" affected: https://chromestatus.com/metrics/feature/timeline/popularity/4375 In most cases, a less restrictive sandbox flag is not going to negatively impact the affected pages. So 0.000002% should be seen as an upper bound. This brings Chrome's implementation closer to the specification, and closer to Firefox and SafarI. This has a positive impact on interoperability. *Gecko*: N/A This aligns Chrome with Firefox, because Firefox never implemented this behavior. *WebKit*: N/A This aligns Chrome with Safari, because Safari never implemented this behavior. *Web developers*: No signals *Other signals*: Security The removed feature did not have any security benefits. A sandboxed iframe that can call document.open on its neighbors must have “allow-scripts” and “allow-same-origin” capabilities. This is already a known way to escape sandbox, independently of document.open. For instance, one can call `eval` on its parent to escape its sandbox. Chrome and Firefox display the message: "An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing." Security considerations: https://docs.google.com/document/d/1_89X4cNUab-PZE0iBDTKIftaQZsFbk7SbFmHbqY54os/edit#bookmark=id.7lqerksbaalj WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? None Debuggability Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ?Yes Before the removal: Safari/Firefox PASS. Chrome/Edge FAIL: https://wpt.fyi/results/html/browsers/sandboxing/sandbox-document-open-mutation.window.html?label=master&label=stable&aligned After the removal. Safari/Firefox/Chrome/Edge: PASS. <https://wpt.fyi/results/html/browsers/sandboxing/sandbox-document-open-mutation.window.html?label=master&label=stable&aligned> https://wpt.fyi/results/html/browsers/sandboxing/sandbox-document-open-mutation.window.html Flag name--enable-blink-features=DocumentOpenSandboxInheritanceRemoval Requires code in //chrome?False Tracking bughttps://crbug.com/1186311 Estimated milestones Shipping on desktop 116 Shipping on Android 116 Shipping on WebView 116 Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5171677800955904 Links to previous Intent discussions This intent message was generated by Chrome Platform Status <https://chromestatus.com/>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAH7Q68Xb-GTak%3DVDx1cak-3%3D77e%2BudHkquttq8au_d3jt59KJw%40mail.gmail.com.
