HTML 5 adds the sandbox attribute to the IFRAME element to prevent untrusted Web pages from performing some operations. Ian Hickson, editor of the HTML 5 specification, talked about the benefits of sandbox, which can prevent the following operations:
◆ Access the DOM of the parent page (technically, this is because IFRAME has become a different source than IFRAME of the parent page)
◆ Execute the script
◆ Embed your own forms or manipulate forms through scripts
◆ Read/write of cookies, local storage, or local SQL database
The revision history page of HTML 5 also mentions other features of sandbox:
◆ Disable plug-ins
◆ Forbid navigation of other browsing contexts
◆ Disable the pop-up window and mode dialog box
◆ Iframes is notorious for security issues, mainly because iframes is often used to embed third-party content, while the latter may perform some malicious operations.
◆ Sandbox enhances the security of iframes by limiting the operations permitted by the embedded content. This method separates the sandbox content from the parent page, thus limiting the permission of the content to be embedded.
The MIME type of sandbox is text/html-sandboxed. Hickson said:
Text/html-sandboxed MIME type ensures that the user does not access Untrusted content. It contains two parts: First, if the user accesses the page directly, the browser cannot render those pages with the text/html-sandboxed MIME type. Currently, all browsers support this feature. These browsers will download the page tag but will not render the page. Secondly, browsers that support the sandbox attribute need to render iframes with the text/html-sandboxed MIME type (but restricted by the permissions set in the sandbox attribute). So far, no browser has implemented this, this is also true for Google Chrome (it renders the parent page, but downloads the IFRAME content instead of rendering it in IFRAME ). Therefore, this technology cannot be used yet, unless Google updates chrome to support this technology (theoretically, other browser vendors will implement this technology after implementing support for the sandbox attribute, let's wait and see ).
Currently, only Google Chrome 4.0 uses sandbox, and Firefox, IE8, and Safari have not yet implemented this, but I believe these browsers will be implemented soon. There are many things around the HTML 5 <video> element. Google implements it through the H.264 standard, while other browsers use different standards or are not implemented yet. But this does not happen here, because every browser can freely decide how to implement sandbox internally. But even if all mainstream browsers adopt sandbox tomorrow, many developers and content managers cannot use it immediately, because there are so many legacy browsers that will ignore this attribute, therefore, the safe solution is to adopt regular security measures to protect iframes.