tag:blogger.com,1999:blog-8508344381521415235.post5375078346108425227..comments2024-02-10T02:19:53.889-08:00Comments on Egor Homakov: HTML5 Sandbox - a bad ideahomakovhttp://www.blogger.com/profile/10492045246792330280noreply@blogger.comBlogger19125tag:blogger.com,1999:blog-8508344381521415235.post-28241397377666865862014-05-23T16:08:38.306-07:002014-05-23T16:08:38.306-07:00Hey Egor,
What are your thoughts about running a ...Hey Egor,<br /><br />What are your thoughts about running a sandboxed iframe *without* allow-scripts?<br /><br />If you wanted your web app to show user-generated HTML email, like this:<br /><br /><iframe seamless sandbox="allow-same-origin allow-popups" srcdoc="<html><head><base target='_blank'><style>body{margin:0;}</style></head><body>{{escaped_email_body_html}}</body></html>"></iframe><br />(only done in browsers that support sandbox)<br /><br />See any issues?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-71359273161624196382013-04-22T07:45:56.088-07:002013-04-22T07:45:56.088-07:00https://news.ycombinator.com/item?id=5502804 all v...https://news.ycombinator.com/item?id=5502804 all vectors with document.write('') were not vulnerable until sandbox.<br /><br />1. sandbox is not part of CSP, this makes sameorigin option useless (and obvious-XSS shows it). misdesign<br />2. sandbox allows switching JS off but NOBODY asked for it. We never needed it, we don't have use of it. misdesign + breaking some JS framebreakers<br />3. while u stay anonymous i cant feel involved into discussion with you. original article is indeed vague, I wanted to keep it short. read last sentence:<br />"I don't mean Sandbox is all bad, I only state that current Sandbox is a poorly designed feature."<br /><br />i emphasise sandbox is 60% of useless and dangerous shit, while it could be much simpler, CSP based and so on. homakovhttps://www.blogger.com/profile/10492045246792330280noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-89513830416517775952013-04-22T07:38:24.587-07:002013-04-22T07:38:24.587-07:00To be clear, the original article is so vague (whi...To be clear, the original article is so vague (while sounding so confident) that I'm pretty sure you didn't really look into the subject too much and were just convinced that you understood all of it. Well, you didn't.<br /><br />The other thing that's really funny is the example you give for "Untrusted code on the same origin". It has an obvious XSS hole in the parent page. Yes, the parent page, not the content of the iframe, where using html5 sandbox would be meaningful. Let me insist: breaking out of the iframe tag's src attribute is an XSS in the parent page and has absolutely nothing to do with what you're talking about; your example is absolutely 100% irrelevant. <br />However, you use it to explain why html5 sandbox is supposedly "a bad idea". <br /><br />TLDR: bad, uninformed article is bad.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-68969609102743315812013-04-22T07:26:01.572-07:002013-04-22T07:26:01.572-07:00Alright, which ones ???Alright, which ones ???Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-70030364748201836272013-04-21T14:48:16.944-07:002013-04-21T14:48:16.944-07:00there are kinds of framebreakers they were still w...there are kinds of framebreakers they were still working w/o sandbox. these are broken nowhomakovhttps://www.blogger.com/profile/10492045246792330280noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-12210506948329802592013-04-21T09:17:26.895-07:002013-04-21T09:17:26.895-07:00Actually, they totally were insecure in the first ...Actually, they totally were insecure in the first place. Specifically, any framebusting script that would make the page disappear if it detected framing was insecure.<br /><br />You could use various JS payloads on the parent page to make the framebusting script in the iframe fail, preventing it from hiding the content of the page. And this was pretty much impossible to reliably prevent (also because of browser bugs). See OWASP's page (sorry but you asked for it): https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet.<br /><br />The ones that instead make the content of the page appear if it is not being framed were and are still perfectly fine.<br /><br />All in all, html5 sandbox didn't change anything except it just made it more obvious that a bad protection was bad, and this is always a good thing. Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-41315228236327596032013-04-06T21:06:18.782-07:002013-04-06T21:06:18.782-07:00if new feature makes something insecure then THIS ...if new feature makes something insecure then THIS feature is guilty, not websiteshomakovhttps://www.blogger.com/profile/10492045246792330280noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-13071999829840778542013-04-06T21:05:32.796-07:002013-04-06T21:05:32.796-07:00> that were useless/insecure in the first place...> that were useless/insecure in the first place<br /><br />they were not insecure until sandbox. how could you bypass them before ? homakovhttps://www.blogger.com/profile/10492045246792330280noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-68622500764956100412013-04-06T11:54:17.838-07:002013-04-06T11:54:17.838-07:00I completely disagree. It doesn't break frameb...I completely disagree. It doesn't break framebreaking scripts at all (try Facebook's), only the ones that were useless/insecure in the first place.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-2169073600621469662013-04-06T01:28:47.775-07:002013-04-06T01:28:47.775-07:00I don't understand you. postMessage can emit, ...I don't understand you. postMessage can emit, onmessage can receive.. what's wrong there?homakovhttps://www.blogger.com/profile/10492045246792330280noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-31679321745291077122013-04-06T00:34:53.298-07:002013-04-06T00:34:53.298-07:00postMessage is a hack on top of a hack. There'...postMessage is a hack on top of a hack. There's no mechanism for letting our container emit and receive events, but we can get pointers to other windows for some reason, so let's just tie both ends together and call it good. It's not good. It doesn't take us far enough toward iframe's unfulfilled promise of modularity, and it doesn't work well with any system that would.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-72381155126168435582013-04-05T23:28:34.654-07:002013-04-05T23:28:34.654-07:00yeah i think i overplayed with bolds.. removed som...yeah i think i overplayed with bolds.. removed some.homakovhttps://www.blogger.com/profile/10492045246792330280noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-53723129460504315292013-04-05T23:26:18.031-07:002013-04-05T23:26:18.031-07:00> why sandboxing is not default
postMessage ev...> why sandboxing is not default<br /><br />postMessage everywhere FTWhomakovhttps://www.blogger.com/profile/10492045246792330280noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-35390139796952257712013-04-05T22:34:28.035-07:002013-04-05T22:34:28.035-07:00piffle. Permitting an iframe to reach outside of i...piffle. Permitting an iframe to reach outside of itself was a bad hack in the first place - switching to x-frame-options and allowing an iframe to be properly safe is no more than a long-overdue remedy to a really lazy mistake. Many years from now, when promising young students demand to know why sandboxing is not default, we will be embarrassed by the answer.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-16173489055790221822013-04-05T22:09:11.178-07:002013-04-05T22:09:11.178-07:00Related, and to show that I do truly appreciate yo...Related, and to show that I do truly appreciate your contribution here. I've done a little research to try to make things easier. Here's a Stackoverflow post which could help. <br /><br />http://stackoverflow.com/questions/1644201/how-can-i-display-code-better-on-my-blogger-blogAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-79877309191843289202013-04-05T22:04:25.446-07:002013-04-05T22:04:25.446-07:00With all respect deserved, since you clearly have ...With all respect deserved, since you clearly have a refined opinion on this subject, could I suggest a re-edit of the text it's self? <br /><br />Attempting to read through this, with the various bold sections whipping my attention from point to point to point, and the slivers of paragraphs, made this a terribly difficult post to read, format wise, though well thought out, and well informed it may be. <br /><br />As I said, this is with all due respect, and with thanks for the thoughtful post.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-38030784238654299172013-04-05T20:54:00.814-07:002013-04-05T20:54:00.814-07:00> It was never intended to protect the server
...> It was never intended to protect the server<br /><br />did I say something about server protection? I am just telling sandbox does A LITTLE BIT of good and A LOT OF bad.<br /><br />>And as for UI Redressing (aka ClickJacking) browsers that support the sandbox attribute must support X-Frame-Options.<br /><br />of course they do, but "compatibility" - you will not be surprised that most of websites don't use XFO? Some of them used framebreakers and they don't employ security experts. Now they are vulnerable again. No goodhomakovhttps://www.blogger.com/profile/10492045246792330280noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-20988094729535389142013-04-05T20:39:37.649-07:002013-04-05T20:39:37.649-07:00And as for UI Redressing (aka ClickJacking) browse...And as for UI Redressing (aka ClickJacking) browsers that support the sandbox attribute must support X-Frame-Options.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-52253709164324560262013-04-05T20:37:38.740-07:002013-04-05T20:37:38.740-07:00You should use a different domain as there are tri...You should use a different domain as there are tricks to leverage arbitrary js on a subdomain.<br /><br />Sandboxing is to help protect the client from arbitrary crap. It was never intended to protect the server.Anonymousnoreply@blogger.com