HTML sandbox form restriction bypass when scripts allowed

[tsangtmc]

I noted a security flaw in a implementation scenario in iframe sandboxes https://www.w3.org/TR/2010/WD-html5-20100624/the-iframe-element.html which does not currently appear to be documented as a risk. The short is that when using scripts enabled, it bypasses the forms restriction. More info: https://blog.analyzenothing.com/2019/10/html-sandboxes-restrictions-bypass-forms.html

Short of blocking such a behavior could i recommend adding in a warning into the documentation about such a risk (similar to the other warnings)? Thanks

[annevk]

I'm not opposed to adding a warning, but that's not a full bypass. part of the behavior of form is performing navigation.

[tsangtmc]

Thanks, That is absolutely true and a good point. To be accurate I'll update the POC to reflect (please let me know if you would like attribution on that point). Immediately that was not on the top of the list of factors for risk for me as when speaking of containment, sandboxing, most think of protection of the parent item. From a risk perspective for the parent document protecting itself using a sandbox,

• the submit itself could ultimately amount to a abuse of shared trust, a bit of a indirect clickjacking attack, from the parent document as well as a CSRF attack against the parent.
• the navigation in most cases could either be abused as a form of unvalidated redirect or a XSS in the response of the submit after the navigation, on the domain of the sandboxed. The redirect part can be simulated by a javascript redirect such as https://jsfiddle.net/z80pqgaL/. The XSS would not affect the parent, and for the spirit and nature of containment to protect the parent i don't believe this to be the common expectation or concern either.

[annevk]

In theory it could also be used to open a popup, but there are other sandboxing flags that would typically prevent that. (No need for acknowledgment btw.)