Re: [whatwg] `iframe[@sandbox]`: "sandblaster" JS library for analysis/modification

2015-09-30 Thread James M. Greene 
On Wed, Sep 30, 2015 at 10:51 AM, Mike West  wrote:

> On Wed, Sep 30, 2015 at 4:56 PM, James M. Greene  > wrote:
>>
>> *and* potentially modifying/dismantling
>> iframe sandboxes.
>>
>
> Are you able to do this in any cases other than `allow-same-origin` and
> `allow-scripts`? If so, we should fix them. :)
>

I haven't spotted any such holes, though I also haven't tested it in all of
the various browser/OS configurations.  Again, you can see the live
analysis results for your browser at
http://jamesmgreene.github.io/sandblaster/test-iframes.html :)



> Thanks for putting this together!
>

Welcomed!  It was an interesting learning experience for me.


Sincerely,
   James Greene

[whatwg] `iframe[@sandbox]`: "sandblaster" JS library for analysis/modification

2015-09-30 Thread James M. Greene 
*I should've shared this a long time ago but better late than never*

Last winter, I was dealing with some confusion surrounding `iframe`
sandboxing [when I wasn't aware it existed] on code playground sites
(JSFiddle, JSBin, CodePen, etc.).

While investigating, I ended up creating a JS library called *sandblaster*
[1] to assist me in analyzing *and* potentially modifying/dismantling
iframe sandboxes.

You can see a live analysis result example on its demo page [2].

Please check it out if you're interested in the subject and feel free to
contribute issues/PRs/tests/suggestions/etc. on its GitHub repo [1].

Thanks!


[1]: https://github.com/JamesMGreene/sandblaster
[2]: http://jamesmgreene.github.io/sandblaster/test-iframes.html


Sincerely,
James Greene

Re: [whatwg] `iframe[@sandbox]`: "sandblaster" JS library for analysis/modification

2015-09-30 Thread Mike West 
On Wed, Sep 30, 2015 at 4:56 PM, James M. Greene 
wrote:

> While investigating, I ended up creating a JS library called *sandblaster*
> [1] to assist me in analyzing


We should probably just provide a mechanism for reading the currently
active sandboxing flags. You shouldn't have to write pages of code to get
that data. Somewhat the inverse of
https://www.w3.org/Bugs/Public/show_bug.cgi?id=29061.


> *and* potentially modifying/dismantling
> iframe sandboxes.
>

Are you able to do this in any cases other than `allow-same-origin` and
`allow-scripts`? If so, we should fix them. :)

Thanks for putting this together!

-mike