The HTML 5 sandbox Attribute Improves iFrame Security
The Web Hypertext Application Technology Working Group (WHATWG) is working jointly with W3C on developing the HTML 5 standard. HTML 5 has been at "Last Call" at WHATWG for the last 3 months. During this time one feature which has changed more significantly is the sandbox attribute of the
<iframe> element. sandbox can be used to isolate untrusted web page content from performing certain operations.
- access the DOM of the parent page (technically speaking, because the iframe is relegated to a different “origin” than the parent page)
- execute scripts
- embed their own forms, or manipulate forms via script
- read or write cookies, local storage, or local SQL databases
The HTML 5 revision tracking page notes more features of the sandbox attribute:
- disabling plugins
- disabling navigating of other browsing contexts
- disabling popups and modal dialogs
iFrames are notorious for being exploited for security breaches, mostly because they are used to embed third party content which might perform unwanted actions. sandbox is intended to make iFrames more secure by specifying what the embedded content is allowed to do. This approach detaches the sandboxed content from its parent page, thus receiving less privileges.
sandbox comes with its associated MIME type,
text/html-sandboxed. Hickson details:
text/html-sandboxedMIME type, [used] for ensuring that users can’t navigate to untrusted content. There are two parts to this. First, browsers must not render pages served with a
text/html-sandboxedMIME type, if you navigate to the page directly. This part works in all browsers, today; they all download (or offer to download) the page markup instead of rendering it. Second, browsers that support the
sandboxattribute need to render iframes served with the
text/html-sandboxedMIME type (subject to the privilege restrictions listed in the
sandboxattribute). No browser supports this yet, not even Google Chrome. (It renders the parent page but downloads the iframe content instead of rendering it within the frame.) So you can’t use this technique yet, until Google updates Chrome to support it. (In theory, other browser vendors will implement support for this at the same time they implement support for the
sandboxattribute, but I suppose we’ll just have to wait and see.)
Currently only Google Chrome 4.0 uses sandbox, Firefox, IE8, Opera or Safari have not implemented it yet. It is likely the other browsers will implement it in future versions. The story around HTML 5
<video> element, with Google implementing it using the H.264 standard while other browsers use a different standard or don't implementing it yet, is not likely to repeat here because each browser can freely choose how to implement sandbox internally. Even if all major browsers adopted sandbox tomorrow, developers and web content managers intending to use it will need to consider that there are legacy browsers out there which will ignore the attribute, so they will have to take the usual security measures regarding iFrames.
Yoni Goldberg Oct 30, 2014
Dmytro Svarytsevych Oct 30, 2014