Defense in Depth: HTML5 Sandbox

HTML5 Sandbox introduces new ways for web developers to lock down content out of their control. A few examples of ways 3rd-party content can hijack your site are shown below. For each, try enabling HTML5 Sandbox to see how it protects you.

Information Disclosure

Many sites, such as blogs with user-submitted comments, display content submitted by users. Without proper protections built in to the site, malicious users could post seemingly harmless content that behind the scenes attempts to access priviledged information (for example, your cookies for the blog site).

Notice below that seemingly harmless "blog post" (fake) has actually "stolen" your cookies.
Try enabling Sandbox to see how access to such priviledged information could be prevented by the blog site's owner.

Sandbox Cookie Access: ALLOWED


Imagine you're reading a legitimate news article about your bank. However, a malicious "ad" appears on the right offering what looks like a direct login to your bank. If you mistakenly "log in" using the ad, your credentials could be submitted to the attacker. The news site could better protect you using HTML5 Sandbox in order to prevent the submission.

Try "logging in" to the fake malicious ad below. Then try it with Sandbox enabled.

Sandbox Form Submission: ALLOWED

WoodGrove Bank Announces Merger with Contoso Investments

by Clippy

SEATTLE-Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vestibulum placerat, ipsum fringilla pharetra vestibulum, justo leo condimentum elit, ut tincidunt urna quam quis turpis. Nunc risus dolor, cursus et accumsan a, tincidunt id diam. Morbi feugiat facilisis iaculis. Suspendisse adipiscing pharetra augue non interdum. Quisque rutrum pretium lectus, non consequat tortor luctus vel. Vestibulum tincidunt gravida eros in hendrerit. Integer et ultrices urna. Ut quam justo, ultrices in interdum quis, facilisis nec neque. Phasellus eget feugiat nisl. Morbi leo sapien, pretium sed porta quis, bibendum ac nibh. Praesent blandit venenatis accumsan. Vivamus nec volutpat dolor. In iaculis bibendum ante, elementum facilisis odio accumsan non. Pellentesque justo lectus, rutrum sit amet rutrum eget, adipiscing vitae urna. Nunc eu enim luctus nunc vehicula ultrices. Nullam quis velit id enim fringilla viverra quis vitae nibh. Morbi faucibus purus ac mauris feugiat ut mattis nibh fermentum. Donec suscipit arcu et nisl ornare bibendum. Fusce porttitor aliquam lacus eget rutrum. Curabitur est ipsum, iaculis et lobortis at, fermentum eu augue.

Ut purus odio, pellentesque imperdiet dictum sit amet, scelerisque in magna. Suspendisse id velit turpis. Donec mattis magna et libero pellentesque accumsan. Donec non nulla nec lacus varius mattis. Nunc ut tellus quis mauris sollicitudin eleifend. Curabitur in velit purus, eget ornare eros. Aliquam erat volutpat. Phasellus nec lorem id nisi ultrices sollicitudin in sed ipsum. Phasellus malesuada pretium risus. Curabitur nec tempor orci. Integer gravida, sem eget ultricies lacinia, nisi arcu pulvinar erat, quis consequat turpis odio ultricies lacus. Aenean sagittis leo eu eros lacinia id blandit odio imperdiet. Proin consequat vehicula purus ut ultricies. Etiam quis tempor tellus. In eu odio at nisi lacinia bibendum. Aenean auctor, lectus at ultrices blandit, justo odio gravida quam, sed commodo sapien felis a leo. Praesent turpis dolor, faucibus ac aliquet in, mattis at dolor.

Page Redirection

The fake ad above is attempting to redirect you to a fake malicious site (without you even clicking it).
HTML5 Sandbox is preventing it from doing so.

Try disabling sandbox to see how the ad could maliciously redirect you.

Sandbox Page Redirection: BLOCKED

Controlling Popups

While not malicious, popups can be quite annoying. HTML5 Sandbox by default will prevent popups from occuring. Sometimes, however, popups are wanted. For example, below there is a Bing Maps control which offers popup windows to view bigger maps.

Authors can allow popups inside sandboxed content for scenarios like the one below.

By default, the links below won't work inside a Sandbox. Try enabling popups inside the Sandbox.

Sandbox Popups: BLOCKED

What is HTML5 Sandbox?

Hosting 3rd-party content on a site is very common: advertisements, blog comments, widgets, etc. Whenever such content is placed on a site, it puts the site at risk for attacks such as cross-site scripting (XSS), phishing, or information disclosure. It also puts the site at risk for non-malicious departures from the intended user experience like unwanted popups. Developers go to great lengths to attempt to lock down this content.

HTML5 Sandbox introduces new tools to help web developers further lock down such content. By placing the content in an iframe, the developer can specify the sandbox attribute on the iframe to apply a set of basic security restrictions:

<iframe src="untrusted.html" sandbox></iframe>

Some of these default restrictions can be lifted by placing whitespace separated allow tokens in the attribute's value:

<iframe src="untrusted.html" sandbox="allow-scripts allow-forms"></iframe>

The above code applies all the restrictions listed above except script execution and form submission are allowed. The supported tokens are: