New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 678759 link

Starred by 4 users
Status: Fixed
Owner:
emilyschechter@chromium.org
Closed: Apr 2017
Cc:
mkwst@chromium.org
kenjibaheux@chromium.org
binlu@chromium.org
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 3
Type: Launch-OWP
Launch-Accessibility: NA
Launch-Exp-Leadership: ----
Launch-Leadership: ----
Launch-Legal: NA
Launch-M-Approved: ----
Launch-M-Target: ----
Launch-Privacy: NA
Launch-Security: NA
Launch-Test: NA
Launch-UI: NA
Rollout-Type: ----



Sign in to add a comment

'allow-top-navigation-by-user-activation' <iframe sandbox> flag

Project Member Reported by emilyschechter@chromium.org, Jan 5 2017 
See http://www.chromium.org/blink#launch-process for an overview of the
Blink launch process.

This launch issue is used for standards and implementation tracking only,
not for Chrome approval regarding privacy, security, legal, UI, testing,
accessibility etc. If your feature requires approval in any of those areas
please additionally create a Type=Launch issue (note you will most likely
want a PM to guide you through the Type=Launch process, guidance can be
found at go/newchromefeature)

---

Change description:
Require user gesture for sandboxed iframe w/ 'allow-top-navigation' to navigate top-level page, and the top-level navigation will be blocked if there is no user gesture. This change would enable more use cases of sandboxing untrusted third-party contents (eg., ads) by allowing top navigation while blocking malicious auto-redirecting, and thus help building a safer internet.

Changes to API surface:
Require a user gesture to navigate top-level page for sandboxed iframe w/ 'allow-top-navigation', and the top-level navigation will be blocked if it's not triggered by a user gesture.

Links:
Public standards discussion: https://github.com/WICG/interventions/issues/42

Support in other browsers:
Internet Explorer: not yet
Firefox: not yet
Safari: not yet

*Make sure to fill in any labels with a -?, including all OSes this change
affects. Feel free to leave other labels at the defaults.

Comment 2 by domenic@chromium.org, Feb 23 2017

Summary: 'allow-top-navigation-by-user-activation' <iframe sandbox> flag (was: Require user gesture for sandboxed iframe w/ 'allow-top-navigation' to navigate top-level page)
I'm not terribly familiar with the launch bug procedure, but I think it will be OK to reuse this for the updated proposal, which is a separate keyword 'allow-top-navigation-by-user-activation'. Let me rename the issue. A new change description is:

Adds a new keyword named "allow-top-navigation-by-user-activation" for iframe sandbox, which requires a user activation (or gesture) being processed to trigger a top-level navigation. This change would enable more use cases of sandboxing untrusted third-party contents (eg., ads) by allowing top navigation while blocking malicious auto-redirecting, and thus help building a safer internet (eg., a safer ads ecosystem in which all ads could be sandboxed to prevent unexpected malicious behaviors like

Chrome Platform Status has been updated

Comment 3 by bi...@google.com, Mar 2 2017

Labels: -M-57 M-58

Comment 4 by emilyschechter@chromium.org, Apr 4 2017 

I'm marking this as fixed since it's officially in M58.

Comment 5 by emilyschechter@chromium.org, Apr 4 2017

Status: Fixed (was: Assigned)

Comment 6 by bi...@google.com, Apr 10 2017

Cc: binlu@chromium.org
For the tracking purpose: the implementation was tracked in  http://crbug.com/662506 .

Sign in to add a comment