The proposal is for a new tag called sandbox . sandbox provides hints to the user-agent for a fine grained and portable permission control of embedded content. The hints would tell the user-agent what the embedded content can/can't do.
The options of embedding content from multiple sources using widgets, embeds, etc., are growing dramatically with more and more user-generated content are being published, re-published and embedded within other pages. The content within the content (or micro-content) is (a) infrastructure driven, like embedding of scriptlets for web tracking (b) consumption driven, like widgets for news, weather, jobs (c) interaction driven, like videos, slideshows, micro-documents, spreadsheet snapshots and (d) submissions like search forms, data-capture fields, etc.
The micro-content in large part is distributed as a code fragment wrapped either in <script> or an <object>/<embed> tag. As the offering of these services grow, together things will become sophisticated and mature in coming years. How far this script should be trusted? At the onset, the following questions need answering:
* Can the embedded script read the DOM of the page it is hosted in?
* Can the script make further calls to the remote server using the script transport?
* Can the script manipulate the CSS of the page it is hosted in?
* Can the script attach event handlers?
* Can the script call window.close() or document.replace() ?
* Can the script launch a pop-up window while being rendered?
* Is the script allowed to render non-textual content like video, audio, etc.?
In today’s HTML and the User-Agent world, all the questions may be answered as YES. An implementation of the proposed tag would allow the page author to control the permissions in a fine-grained way, instead of relying on browser specific configuration.
The IDL may look like this:
- Code: Select all
interface HTMLSandboxElement : HTMLElement {
readonly attribute allowRemoting;
readonly attribute allowStyleChange;
readonly attribute allowDOMScripting;
readonly attribute allowEventHandler;
readonly attribute allowSubmit;
boolean checkPermission(in DOMString attributeName);
}
A sample HTML fragment (Web-Analytics example)
- Code: Select all
<sandbox allowRemoting="0" allowStyleChange="0"
allowEventHandler="1" allowSubmit="0">
<script src="http://www.example-analytics.com/tracker.js" >
</script>
<script type="text/javascript">
_uacct = "UA-XXXXX";
Tracker();
</script>
</sandbox>
Benefits:
- * Fine-grained control while composing content (or application output) from multiple sources
* Shared responsibility between page author and user-agent
* Takes the browser security to a new level
* Portable control instead of relying on individual user-agent configuration options for various permutations and combinations.
Thoughts?
Indus Khaitan
