In Chrome 5, Google has added support for an HTML5 feature that can help developers improve security by including a sandboxing attribute in iframes.
Google Chrome 5, the latest iteration of Google's Web browser, is using a
feature to help Web developers
Google released the updated
Chrome browser May 24
with support for a sandbox attribute in iframes
that allows developers to reduce the privileges of parts of their Web pages.
The sandbox attribute has been highlighted before as a way developers can
boost security. Chris Wysopal, CTO of
Veracode, discussed the feature with eWEEK in
an article about HTML5 security,
and noted the feature could help
protect against malicious third-party ads.
In a May 27 post on the Chromium blog, Google Software Engineer Adam Barth
"When displaying untrusted.html
in a sandboxed iframe, the browser renders untrusted.html with reduced
Google Chrome sandboxes its rendering engine."
Among other things, with sandboxing implemented, iframes cannot access
execute scripts or read or write cookies, SQL databases or local storage.
"You can give untrusted.html some
of its privileges back by whitelisting the privileges in the value of the
sandbox attribute. ... Because @sandbox is a white list, the browser still imposes
the remainder of the sandbox restrictions on untrusted.html. For example,
untrusted.html does not have the privilege to create popup windows or
Developers using the feature should think carefully about how legacy
browsers will interpret their HTML, he advised.
"The easiest way to use @sandbox is for 'defense-in-depth,'" he
added. "Instead of relying upon @sandbox as your only line of defense, you
can use it as an additional security mitigation in case your first line of
defense (such as output encoding) fails. Because legacy browsers ignore
attributes they do not understand, you can add @sandbox to existing iframes and
improve security for users of newer browsers."