Contact emailsarthursonzo...@chromium.org Specificationhttps://github.com/whatwg/html/pull/7124
Design docshttps://github.com/whatwg/html/issues/2191#issuecomment-926555754 Summary Gates sandboxed iframe navigation toward external protocol behind any of: - allow-popups - allow-top-navigation - allow-top-navigation-with-user-activation (+ user activation) Motivation: Sandboxed iframe navigation are allowed, because they stay within the iframe. However when they lead to the opening of an external application, this can be seen as a new popup or a new top-level navigation somehow. Extending sandbox scope here, resolves issues developers/users had with malicious advertisers. Blink componentBlink>SecurityFeature>IFrameSandbox <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3EIFrameSandbox> TAG reviewWe think this is not needed here. Handling external applications is at the boundary of the web platform. This is a security improvement. TAG review statusNot applicable Risks Interoperability and Compatibility This prevents sandboxed iframe from navigating or redirecting users toward an external application. Goal is to break malicious ads. There is an inherent and intended compatibility risk. In a first step, this will only record metrics to ensure the number of blocked requests is relatively small. We are going to work to drive those numbers down (target <0.0005% PageLoad), or ensure they are dominated only by malicious actors, before shipping the enforcement. Enterprise policy will be supported. Interoperability risk is that other browser vendors do not implement these restrictions. Firefox is working on enforcing it as well. Gecko: Worth prototyping ( https://github.com/mozilla/standards-positions/issues/581) Firefox would like to enforce it as well, once the compatibility <https://github.com/whatwg/html/issues/2191#issuecomment-929955259> risk question has been resolved. WebKit: No signal ( https://lists.webkit.org/pipermail/webkit-dev/2021-September/031988.html) (pending) Web developers: Strongly positive. Amazon & multiple independent security researcher have filled feature request: - https://crbug.com/1148777 - https://crbug.com/1250415 - https://github.com/whatwg/html/issues/2191 Ergonomics N/A Activation N/A Security This is intended as security positive. Goals for experimentation I don't expect a huge interest in trying this feature. I wanted to submit an intent-to-implement instead, but it wasn't proposed in the interface, when filling out a "Web developer facing change to existing code". The goal is making this intent public and gathering potentially some feedback about the proposed specification. Ongoing technical constraints N/A Debuggability A Devtools console error message is shown to developers when the sandbox blocks the external application. Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?No Android WebView is purposefully excluded. It does not provide a way to handle external protocol on its own, but let the embedding Android application to intercept the request. We do not block the request and let the embedding app its full powers here. We don't want to risk breaking existing Android applications. Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> ?No This is at the boundary of the web platform (external apps). This is not observable from within a document. So it is not possible to have WPT. There are non-WPT tests. Flag nameSandboxExternalProtocolBlocked Requires code in //chrome?Yes, this is mostly inside //chrome, so that Android Webview can stay unaffected. See change <https://chromium-review.googlesource.com/c/chromium/src/+/3162979>. Tracking bughttps://bugs.chromium.org/p/chromium/issues/detail?id=1253379 Launch bughttps://crbug.com/1253405 Estimated milestones DevTrial on desktop 96 DevTrial on android 96 Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5680742077038592 This intent message was generated by Chrome Platform Status <https://www.chromestatus.com/>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAH7Q68VwZB4o%3DHb774HUzGHeYa8H%3DiY6YZbmkpvTxEB_i763aA%40mail.gmail.com.
