On Thu, Jul 9, 2015 at 5:28 PM, Daniel Veditz dved...@mozilla.com wrote:
On Mon, Jul 6, 2015 at 2:47 AM, Mike West mk...@google.com wrote:
I've dropped the opener/openee-disowning behavior from my proposal,
and renamed the sandboxing keyword to `allow-popups-to-escape-sandbox` in
On Mon, Jul 6, 2015 at 2:47 AM, Mike West mk...@google.com wrote:
I've dropped the opener/openee-disowning behavior from my proposal,
and renamed the sandboxing keyword to `allow-popups-to-escape-sandbox` in
https://wiki.whatwg.org/index.php?title=Iframe_sandbox_improvmentsdiff=9958oldid=9955
On Tue, Jun 23, 2015 at 11:14 AM, Mike West mk...@google.com wrote:
After some conversation with bz (CC'd), I've slightly formalized the
description of the feature at
https://wiki.whatwg.org/wiki/Iframe_sandbox_improvments.
This is something that I'd like to ship in Chrome in the somewhat
On 7/6/15 5:47 AM, Mike West wrote:
Boris, I think this is consistent with your suggestions in
https://groups.google.com/a/chromium.org/d/msg/blink-dev/wXbgxLu63Fo/F6WGG03FafAJ
and
https://groups.google.com/a/chromium.org/d/msg/blink-dev/wXbgxLu63Fo/pZZ0MXzpbKAJ.
Can you live with this
On Mon, Jul 6, 2015 at 9:14 PM, Boris Zbarsky bzbar...@mit.edu wrote:
On 7/6/15 5:47 AM, Mike West wrote:
Boris, I think this is consistent with your suggestions in
https://groups.google.com/a/chromium.org/d/msg/blink-dev/wXbgxLu63Fo/F6WGG03FafAJ
and
After some conversation with bz (CC'd), I've slightly formalized the
description of the feature at
https://wiki.whatwg.org/wiki/Iframe_sandbox_improvments.
This is something that I'd like to ship in Chrome in the somewhat near
future. See the Intent to Ship at
On Mon, May 11, 2015 at 6:11 AM, Mike West mk...@google.com wrote:
2. Add a `allow-unsandboxed-auxiliary` keyword to those supported by the
`sandbox` attribute, which, when present, would allow auxiliary browsing
contexts created by `window.open` and `target=_blank` links to create
clean
On Thu, May 14, 2015 at 3:59 PM, Devdatta Akhawe dev.akh...@gmail.com
wrote:
2. Add a `allow-unsandboxed-auxiliary` keyword to those supported by the
`sandbox` attribute, which, when present, would allow auxiliary browsing
contexts created by `window.open` and `target=_blank` links to create
On Mon, May 11, 2015 at 9:19 AM, Jim Manico jim.man...@owasp.org wrote:
The whole purpose of a sandbox is to limit what content inside of it can
do. I want to limit where that sandbox can open windows with full
cookie/script/etc access.
And you can do so by _not_ specifying the new flag I'm
On Mon, May 11, 2015 at 4:02 PM, Chris Coyier chriscoy...@gmail.com wrote:
I'd think popups would be killed by default and allow-popups would allow
them. Or if you need a new value, allow-obnoxious-things could work ;)
I would prefer to simply remove the functionality. :)
If we do decide
1. Block modal dialogs from inside sandboxed frames. That is:
* `alert(...)` would return without popping up a dialog.
* `confirm(...)` would return `false` without popping up a dialog.
* `prompt(...)` would return `null` without popping up a dialog.
* `print(...)` would return without
On Mon, May 11, 2015 at 4:12 PM, James M. Greene james.m.gre...@gmail.com
wrote:
1. Block modal dialogs from inside sandboxed frames. That is:
* `alert(...)` would return without popping up a dialog.
* `confirm(...)` would return `false` without popping up a dialog.
* `prompt(...)` would
On Mon, May 11, 2015 at 7:13 AM, Mike West mk...@google.com wrote:
The worst offender: linking to things that are .htpasswd protected and it
pops up that authentication modal.
I wouldn't be terribly averse to dropping support for that inside a
sandbox. Especially a sandbox without
On Mon, May 11, 2015 at 7:24 PM, Ian Melven ian.mel...@gmail.com wrote:
1) At one point i think showModalDialog was specified to be blocked unless
allow-popups was set. (I can't find this in the current editor's draft of
the spec).
It seems to me that it would make sense to follow #1 in your
On Mon, May 11, 2015 at 11:59 PM, Justin Dolske dol...@mozilla.com wrote:
On Mon, May 11, 2015 at 7:13 AM, Mike West mk...@google.com wrote:
The worst offender: linking to things that are .htpasswd protected and
it
pops up that authentication modal.
I wouldn't be terribly averse to
On Mon, May 11, 2015 at 7:27 AM, Jim Manico jim.man...@owasp.org wrote:
2. Allow sandboxed frames to spawn new windows without forcing the
sandbox upon them.
I think this needs to be restricted so sandboxed iFrames cannot spawn new
windows back to the same domain - or better yet may only
(BCC: public-webapp...@w3.org)
Hello, wonderful whatwg@ folks!
I've talked with a few folks from Google's advertising teams who are
interested in using sandboxed iframes to mitigate the risks associated with
ads. They've flagged two things that they'd like to see happen in the
future:
1. Block
17 matches
Mail list logo