Comments:"Egor Homakov: HTML5 Sandbox - a bad idea"
URL:http://homakov.blogspot.com/2013/04/html5-sandbox-bad-idea.html
I don't like both idea and implementations of the Sandbox feature (part of so-called HTML5). Most of the articles about it are lame copy-pastes of the spec. Straight question WHY WE NEED IT AT ALL remains not answered. Furthermore, nobody writes that implementation is a little bit crazy — by fixing small vulnerabilities it introduces huge ones.
Why?
When we embed frames with external content we are still open for navigational and/or phishing attacks (obviously cookies/inner HTML cannot be stolen because of the same origin policy). The iframe code can change top.location or open a phishing popup window prompt('your password?'). ... that's it. That's all we needed to fix.
Besides allow-popup and allow-top-navigation options W3C introduced allow-scripts, allow-forms and allow-same-origin. They wanted best you know the rest.
Javascript... malicious shit.
People are still fixing CSS for IE6. Meanwhile W3C destroys all Javascript-based framebreakers, not asking anyone's advice (only one anti-clickjacking solution left - X-Frame-Options). Nobody gave a shit about compatibility, I guess.
W3C needed a really good reasonto introduce such a crazy feature: "Javascript from a frame can do malicious actions, now you can turn it off".
Malicious what? Tomorrow they will call Javascript a Remote Code Execution Vulnerability and ask us to remove the browser? Javascript cannot be malicious on it's own!
Untrusted code on the same origin.
Another announced killer-feature of Sandbox - running untrusted code on your origin (remark: USE A SUBDOMAIN DONT BE STUPID). People tend to believe it: "Cool, I will set up a javascript playground on my website!". This?
Now think again, what stops an attacker to simply use 'SITE/playground?code=alert(1)' as an XSS hole?
You cannot rely on it out-of-box, thus you need a way more comprehensive solution — you have to make sure that current page is loaded under sandbox (request is authentic), not in a new window
HTML code: <iframe src="SITE/playground?code=alert(1)&nonce=123qwe123" sandbox="allow-scripts">
Playground server side: if params[:nonce] and cookie[:nonce] == params[:nonce] ..response..
Now you are secure from arbitrary code reflection. Anyway, don't use it.
Misleading posts make people think that Sandbox is a secure way to embed arbitrary content, but there are strings attached.
I don't mean Sandbox is all bad, I only state that current Sandbox is a poorly designed feature.