Hi,
while working on https://bugzilla.mozilla.org/show_bug.cgi?id=785310 (block
setting
window.top.location from a document sandboxed without 'allow-top-navigation')
and discussing
the correct behavior with Bobby Holley, I found some interesting differences
between what Chrome and IE have implemented around top navigation and iframe
sandbox.
In my testing with Chrome, if you have a sandboxed document with the same
origin as the top level document and the sandboxed document has
'allow-same-origin allow-scripts',
the sandboxed document can NOT navigate the top level document via setting
window.top.location
ie it's blocked. Bobby pointed out that blocking top navigation when the
sandboxed document
is same origin with the top level document is difficult, since the sandboxed
document
can do window.top.eval('window.location = "http://foo.com";') - this bypasses
the block in Chrome
and the top navigation happens.
In IE 10, at least in the Windows 8 consumer preview which is the latest
version i have at the moment unfortunately, you can set window.top.location
from a document that's same origin
with the top level document which is contained in an <iframe sandbox =
'allow-same-origin allow-scripts'> ie it doesn't
need allow-top-navigation.
It would be great if the spec could clarify the correct behavior around top
navigation
when the sandboxed document is/is not same origin with the top level document.
One option would be for Chrome/Webkit to also block the window.top.eval
loophole, but in general
we feel that trying to stop this when the documents are same origin would
possibly be problematic.
Another option would be to not block top navigation when the sandboxed document
is same origin
with the top level document (which implies it's been sandboxed with
'allow-same-origin' of course).
>From discussions with Bobby, I think we prefer the second option. The
>restriction on navigating
window.top would only be applied in the cross domain case.
thanks !
ian
