Please consider whether new APIs/functionality should be disabled by default in sandboxed iframes

When adding a new API or CSS/HTML feature, please consider whether it 
should be disabled by default in sandboxed iframes, with a sandbox token 
to enable.

Note that this is impossible to do post-facto to already-shipped APIs, 
due to breaking compat.  But for an API just being added, this is a 
reasonable option and should be strongly considered.

-Boris
0
Boris
1/11/2017 5:35:00 PM
mozilla.dev.platform 5845 articles. 0 followers. Post Follow

2 Replies
59 Views

Similar Articles

[PageSpeed] 5

Hi Boris,

Did a particular feature triggered your message?

Would it make sense to add the question to the "Intent to Implement" email =
template?
https://wiki.mozilla.org/WebAPI/ExposureGuidelines#Intent_to_Implement

"Intent to" emails seem like a good time to ask this questions/raise:
* the feature is not implemented yet
* other browsers vendors are reading the "intent to" emails, so there is an=
 opportunity for this question to be fixed in an interoperable manner

David


Le mercredi 11 janvier 2017 18:34:56 UTC+1, Boris Zbarsky a =C3=A9crit=C2=
=A0:
> When adding a new API or CSS/HTML feature, please consider whether it=20
> should be disabled by default in sandboxed iframes, with a sandbox token=
=20
> to enable.
>=20
> Note that this is impossible to do post-facto to already-shipped APIs,=20
> due to breaking compat.  But for an API just being added, this is a=20
> reasonable option and should be strongly considered.
>=20
> -Boris

0
David
2/27/2017 12:07:57 PM
On 2/27/17 7:07 AM, David Bruant wrote:
> Did a particular feature triggered your message?

No, it was just something I had been thinking about for a bit.

> Would it make sense to add the question to the "Intent to Implement" email template?
> https://wiki.mozilla.org/WebAPI/ExposureGuidelines#Intent_to_Implement

That's probably a good idea.  I added it there:

    Is this feature enabled by default in sandboxed iframes? If not, is 
there a proposed sandbox flag to enable it? If allowed, does it preserve 
the current invariants in terms of what sandboxed iframes can do?

-Boris
0
Boris
2/27/2017 2:20:25 PM
Reply: