Extend the support to iframes

[terjanq]

It would be great to easily extend the functionality onto iframes, that would allow greatly increasing sandboxing primitives currently present in the platform. We've heard multiple teams at Google that would love to see this feature implemented!

With the current proposal, there is no way for <iframe sandbox=... srcdoc=xxx> and <iframe sandbox=... src=data:text/html> to implement the Connection-Allowlist without encapsulating them with another, network-loaded iframe.

It should be enough to enable the support for it as part of <meta> in the <head> tag, but ideally a new attribute on the iframe would be more desirable. The issue with the new attribute on the iframe is that this feature could be then potentially used to selectively disable requests made by a cross-origin iframes, which might not be acceptable from the security PoV (csp= attribute had a similar issue which we then fixed).

[terjanq]

@arturjanc

[mikewest]

My initial inclination is to consider <meta> a mistake, insofar as it forces us to change a page's policies and privileges after we've committed the document which has annoying implications for implementations and makes the world difficult to reason about.

Some kind of iframe attribute which we can reason about a priori could possibly be fine, but I don't think it would be safe to allow one page to apply a policy like this to another without an opt-in. We could probably use this kind of mechanism to address about:srcdoc and data: without headers, but it's not at all clear to me that we could get away with the same for https://victim.example/.

Do you have thoughts about whether covering local schemes would be enough, or do the use cases you care about include other servers' content?

[terjanq]

Do you have thoughts about whether covering local schemes would be enough, or do the use cases you care about include other servers' content?

I'd love to see support for https://victim.example as well, because it's often quite difficult to reflect a dynamic header for static pages. What should work I think is the same model as we have for embedded CSP with the Allow-CSP-From response header. Support for Allow-Connect-Allowlist-From: * would be enough for the SafeContentFrame case where some of our users expressed the need for network isolation.

[mikewest]

Support for Allow-Connect-Allowlist-From: * would be enough for the SafeContentFrame case where some of our users expressed the need for network isolation.

If there's an opt-in then I'm less concerned (though I'd suggest that opt-in would be best positioned in a header, as you suggest, and not as a <meta> tag). I'm not sure we landed on a great model with CSP:EE, but it is existence proof of such a think working in the wild to some extent.

[terjanq]

That sounds good to me, from the product perspective <meta> is also not the easiest to control so a special attribute with opt-in header would work for us.

[shivanigithub]

How about using document policy since that allows applying the policy and requires opt-in from the iframe via a response header (as also mentioned in the related issue's comment)?

[mikewest]

Document policy could work, certainly. My vague recollection is that we didn't yet have alignment on required-document-policy(?), but conceptually it seems probably fine to me. I'm a little worried about jamming a potentially expansive allowlist into the document-policy header and/or policy attribute, but defining the list in one place and requiring acceptance of that list in another place is probably reasonable?

[krauders]

Hi there, has there been any further discussion on this? We have a scenario where we need to instantiate a sandbox in a parent/host page and restrict the sandbox so it can't leak any data. The parent page provides some data and some code to run inside the sandbox, and we need to be able to guarantee that the sandbox can't be escaped. The page loaded within the sandbox is usually in our control and can include the right meta tags, but as our scenario expands and in case the page is compromised or the input data is poisoned somehow, we need to ensure that nothing can escape the sandbox or leak data. I'm happy to provide more details, but we're really excited about this work and the iframe-level attributes are required for us to successfully use this spec.

[mikewest]

We've talked about it a bit more, but neither the spec nor Chromium's implementation has made progress here. The sketch in my head is based on CSP:EE. The embedder would include:

  <iframe connectionAllowlist='("https://good.site/" response-origin)'
          src="https://embedded.widget/">...</iframe>

When issuing a navigation request to https://embedded.widget/, we'd include the following header:

  Sec-Required-Connection-Allowlist: ("https://good.site/" response-origin)

The response would include either an assertion of exactly that policy, or an acceptance of any policy an embedder on a specific origin requested. That is:

  Connection-Allowlist: ("https://good.site/" response-origin)

or

  Allow-Connection-Allowlist-From: https://embedder.site

If one of those headers is present, great! We load the frame. If not, equally great! We block the frame from rendering.

There are some questions here we'll need to answer, but this seems like a plausible approach.

[terjanq]

The response would include either an assertion of exactly that policy, or an acceptance of any policy an embedder on a specific origin requested. That is:

Could Allow-Connection-Allowlist-From: * be also supported?