Interaction with sandbox attribute

WICG / anonymous-iframe

Give developers the ability to embed third party HTML documents inside a new and ephemeral context. In return, COEP embedding rules can be relaxed. Thanks to anonymous iframe, developers using COEP can now embed third party content that do not.

Other

25 stars 9 forks source link

Interaction with sandbox attribute #20

Open annevk opened 9 months ago

annevk commented 9 months ago

Looking at this again for https://github.com/WebKit/standards-positions/issues/45 it occurred to us with everyone aligning on cross-site cookies, repurposing the sandbox attribute in some manner might be within grasp?

I realize this was discussed to some extent before in https://github.com/mozilla/standards-positions/issues/628#issuecomment-1202183489 but it would be nice to have this flushed out a bit more. And also discussed in a place that's a bit more appropriate.

ArthurSonzogni commented 9 months ago

+CC @camillelamy and @mikewest who might want to bring more informations.

Some data we have: ~94% of <iframe credentialless> are not sandboxed.

About repurposing sandbox to implement <iframe credentialless>. This was documented here:

Main reasons

Fully sandboxed iframe are not strict enough. The navigation response in an `