Drop support for named and indexed access on cross-origin windows referencing via sandboxed iframes windows

NEW
Unassigned

Status

()

Core
XPConnect
4 years ago
4 years ago

People

(Reporter: David Bruant, Unassigned)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

4 years ago
Rising from the ashes of bug 916939.
Maybe sandboxed iframes are recent enough to have a saner relationship to their parent?

This would remove a sync communication channel between a parent and an iframe, allowing thread/process/task isolation of iframes.
Define "acquired"?
(Reporter)

Comment 2

4 years ago
(In reply to Boris Zbarsky [:bz] (Vacation Oct 12 - Oct 27) from comment #1)
> Define "acquired"?
Yeah sorry, something like "got a reference to". In code:

parent context:
<iframe id="foo" sandbox="allow-script">
<script>
var win = document.getElementById('foo').contentWindow; // that's what I call "acquire"
// since win references a sandboxed iframe window, named and indexed access could be
// decided not to work anymore
</script>

... I realize this certainly requires some sort of WindowProxy2. I should probably take this to the WHATWG first, sorry for the noise.
Summary: Drop support for named and indexed access on cross-origin windows acquired from sandboxed iframes → Drop support for named and indexed access on cross-origin windows referencing via sandboxed iframes windows
> since win references a sandboxed iframe window

Hmm.  I guess sandboxing propagates to subframes too...  Bobby, thoughts?  This might be reasonable.
Flags: needinfo?(bobbyholley+bmo)
We could easily implement this in our security wrappers if we wanted to. I'm happy to use Gecko as a guinea pig if we need to test the web-compatibility of this change. I suspect it should be ok.

(In reply to David Bruant from comment #2)
> ... I realize this certainly requires some sort of WindowProxy2. I should

Not necessarily. The current spec language for cross-origin object access is inaccurate, and Hixie and I are actively sorting out what this stuff should look like. See [1].

> probably take this to the WHATWG first, sorry for the noise.

Given the above, you might have better luck waiting until [1] is sorted out.

[1] https://www.w3.org/Bugs/Public/show_bug.cgi?id=20701
Flags: needinfo?(bobbyholley+bmo)
(Reporter)

Updated

4 years ago
Blocks: 925718
You need to log in before you can comment on or make changes to this bug.