Re: [whatwg] `iframe[@sandbox]`: "sandblaster" JS library for analysis/modification
On Wed, Sep 30, 2015 at 10:51 AM, Mike West wrote: > On Wed, Sep 30, 2015 at 4:56 PM, James M. Greene > wrote: >> >> *and* potentially modifying/dismantling >> iframe sandboxes. >> > > Are you able to do this in any cases other than `allow-same-origin` and > `allow-scripts`? If so, we should fix them. :) > I haven't spotted any such holes, though I also haven't tested it in all of the various browser/OS configurations. Again, you can see the live analysis results for your browser at http://jamesmgreene.github.io/sandblaster/test-iframes.html :) > Thanks for putting this together! > Welcomed! It was an interesting learning experience for me. Sincerely, James Greene
Re: [whatwg] `iframe[@sandbox]`: "sandblaster" JS library for analysis/modification
On Wed, Sep 30, 2015 at 4:56 PM, James M. Greene wrote: > While investigating, I ended up creating a JS library called *sandblaster* > [1] to assist me in analyzing We should probably just provide a mechanism for reading the currently active sandboxing flags. You shouldn't have to write pages of code to get that data. Somewhat the inverse of https://www.w3.org/Bugs/Public/show_bug.cgi?id=29061. > *and* potentially modifying/dismantling > iframe sandboxes. > Are you able to do this in any cases other than `allow-same-origin` and `allow-scripts`? If so, we should fix them. :) Thanks for putting this together! -mike
[whatwg] `iframe[@sandbox]`: "sandblaster" JS library for analysis/modification
*I should've shared this a long time ago but better late than never* Last winter, I was dealing with some confusion surrounding `iframe` sandboxing [when I wasn't aware it existed] on code playground sites (JSFiddle, JSBin, CodePen, etc.). While investigating, I ended up creating a JS library called *sandblaster* [1] to assist me in analyzing *and* potentially modifying/dismantling iframe sandboxes. You can see a live analysis result example on its demo page [2]. Please check it out if you're interested in the subject and feel free to contribute issues/PRs/tests/suggestions/etc. on its GitHub repo [1]. Thanks! [1]: https://github.com/JamesMGreene/sandblaster [2]: http://jamesmgreene.github.io/sandblaster/test-iframes.html Sincerely, James Greene