diTii.com Digital News Hub

Sign up with your email address to be the first to know about latest news and more.

I agree to have my personal information transfered to MailChimp (more information)


Google Chrome 5: Using HTML5’s @sandbox attribute in iframes

Google Chrome 5 is the first browser that support HTML5 feature that lets web developers reduce the privileges of parts of their web pages by including a “sandbox” attribute in iframes: <iframe sandbox src=”http://attacker.com/untrusted.html”></iframe>, with reduced privileges (e.g., disabling JavaScript and popups), similar in spirit to how Google Chrome sandboxes its rendering engine.

You can give untrusted.html some of its privileges back by “whitelisting privileges” in value of sandbox attribute. If you want untrusted.html to be able to run scripts and contain forms, you could use: <iframe sandbox=”allow-scripts allow-forms” src=”http://attacker.com/untrusted.html”></iframe>. Because @sandbox is a white list, browser still imposes the remainder of sandbox restrictions on untrusted.html.

When using sandbox attribute, you need to think carefully about how legacy browsers (don’t support @sandbox) will interpret HTML. Easiest way to use @sandbox is for “defense-in-depth.” Instead of relying upon @sandbox as your only line of defense, you can use it as an additional security mitigation in case your first line of defense (such as output encoding) fails. Because legacy browsers ignore attributes they don’t understand, you can add @sandbox to existing iframes and improve security for users of newer browsers.

If you want to display untrusted content only in browsers that support @sandbox, you can detect whether browser supports @sandbox using follow code:

if (”sandbox” in document.createElement(”iframe”)) {
    // This browser supports @sandbox.  We can sandbox untrusted 
content with confidence.


Share This Story, Choose Your Platform!

Get Latest News

Subscribe to Digital News Hub

Get our daily newsletter about the latest news in the industry.
First Name
Last Name
Email address
Secure and Spam free...