Closed ArthurSonzogni closed 3 years ago
annevk
commented
3 years ago This is something we think is worth prototyping (and I suspect does not warrant a dashboard entry) though note that @johannhof noted a potential compat issue: https://github.com/whatwg/html/issues/2191#issuecomment-922775038.
ArthurSonzogni
commented
3 years ago Thanks! I think I will start with metrics only, and try to see what I can do beside @johannhof work for driving those numbers down.
annevk
commented
3 years ago Closing this as worth prototyping. Thanks for tackling this @ArthurSonzogni!
ArthurSonzogni
commented
2 years ago @annevk I think the additional change to allow impacted website to disable this change: allow-custom-protocols-navigation sandbox flags, doesn't worth me filling a second standard position request, and I can reuse this one.
I will assume previous "worth prototyping" still apply, modulo getting your review on the PR. Please let me know if this isn't the case.
annevk
commented
2 years ago Yeah, that seems fine.
cc @Trikolon
Request for Mozilla Position on an Emerging Web Specification
Other information
Developers are surprised that sandboxed iframe can navigate and/or redirect the user toward an external application.
General iframe navigation in sandboxed iframe are not blocked normally, because they stay within the iframe. However they can be seen as a popup or a top-level navigation when it leads to opening an external application. In this case, it makes sense to extend the scope of sandbox flags, and block malvertisers.
This gates iframe navigation toward external protocol behind any of:
I would be happy to get your feedback.