Google Chrome 5: Using HTML5's @sandbox attribute in iframes

Google Chrome 5 is the first browser that support HTML5 feature that lets web developers reduce the privileges of parts of their web pages by including a "sandbox" attribute in iframes: <iframe sandbox src=”http://attacker.com/untrusted.html”></iframe>, with reduced privileges (e.g., disabling JavaScript and popups), similar in spirit to how Google Chrome sandboxes its rendering engine.You can give […]

Google Chrome 5 is the first browser that support HTML5 feature that lets web developers reduce the privileges of parts of their web pages by including a "sandbox" attribute in iframes: <iframe sandbox src=”http://attacker.com/untrusted.html”></iframe>, with reduced privileges (e.g., disabling JavaScript and popups), similar in spirit to how Google Chrome sandboxes its rendering engine.

You can give untrusted.html some of its privileges back by "whitelisting privileges" in value of sandbox attribute. If you want untrusted.html to be able to run scripts and contain forms, you could use: <iframe sandbox=”allow-scripts allow-forms” src=”http://attacker.com/untrusted.html”></iframe>. Because @sandbox is a white list, browser still imposes the remainder of sandbox restrictions on untrusted.html.

When using sandbox attribute, you need to think carefully about how legacy browsers (don't support @sandbox) will interpret HTML. Easiest way to use @sandbox is for "defense-in-depth." Instead of relying upon @sandbox as your only line of defense, you can use it as an additional security mitigation in case your first line of defense (such as output encoding) fails. Because legacy browsers ignore attributes they don't understand, you can add @sandbox to existing iframes and improve security for users of newer browsers.

If you want to display untrusted content only in browsers that support @sandbox, you can detect whether browser supports @sandbox using follow code:

if (”sandbox” in document.createElement(”iframe”)) {
    // This browser supports @sandbox.  We can sandbox untrusted 
content with confidence.
}

[Source]