Setting policy when origins are not known ahead of time

[sandinmyjoints]

As suggested here, I'm opening an issue to describe a problem we've run into that prevents us from using sandbox on iframes.

In short, we run ads, and ads create iframes programatically. We don't know ahead of time where those iframes will be hosted. It'd be great to have a way of specifying a policy to apply to all cross-origin iframes.

I wrote up the problem more fully here: http://williambert.online/2015/10/How-HTML5-sandboxes-could-be-so-much-more-useful/

I confess to not reading the draft spec in its entirety, but I did find something that looks related to this in the Source Lists definition. The definition of host-part includes *. Would this allow me to write a CSP that applies sandboxing restrictions (including any allow flags that I choose to use) to any iframes created on my page from any and all origins?

[sandinmyjoints]

After reading #12, I now understand better the story behind https://mikewest.github.io/csp-embedded-enforcement/ My question with embedded enforcement is the same: can I apply it broadly without knowing origins ahead of time?

[mikewest]

We're (finally) getting closer to shipping something like https://w3c.github.io/webappsec-csp/embedded/ in Chrome. Perhaps you could skim that doc to see if it suits your needs?

[sandinmyjoints]

Thanks for the pointer @mikewest. From skimming it, it sounds like the use cases I am talking about are not covered. The problem in a nutshell is that we, the content publisher, cannot know embedded content origins ahead of time. This is the nature of the ad marketplace in 2017. There are thousands of possible origins, and they change frequently. The libs we load from our ad partners create the iframes, or load other code that create the iframes, and so it goes.

What we need is a template, a way of saying "for all cross-origin iframes that are going to be created, apply the following sandbox rules (eg, the new allow-top-navigation-by-user-activation which would be very useful for us!) Maybe something like <html iframe-sandbox-template="allow-top-navigation-by-user-activation allow-script allow-same-origin allow-forms">. Does that make sense?

[Malvoz]

This may be solved by the Require-Document-Policy HTTP header defined in Document Policies :)

[sandinmyjoints]

Thanks, @Malvoz -- that does look promising for solving this issue!