Currently, spec allows use of custom protocols in sandboxed iframe. Which could be used to escape sandbox (see https://www.brokenbrowser.com/abusing-of-protocols/) or launch application from sandboxed iframe (mailto:, acrobat:, etc). I think custom protocols should be disabled in sandboxed iframe.
Currently, spec allows use of custom protocols in sandboxed iframe. Which could be used to escape sandbox (see https://www.brokenbrowser.com/abusing-of-protocols/) or launch application from sandboxed iframe (mailto:, acrobat:, etc). I think custom protocols should be disabled in sandboxed iframe.
Related bugs: https://bugzilla.mozilla.org/show_bug.cgi?id=1322925 https://bugs.chromium.org/p/chromium/issues/detail?id=329000