Many sites, such as blogs with user-submitted comments, display content submitted by users. Without proper protections built in to the site, malicious users could post seemingly harmless content that behind the scenes attempts to access priviledged information (for example, your cookies for the blog site).
Notice below that seemingly harmless "blog post" (fake) has actually "stolen" your cookies.
Try enabling Sandbox to see how access to such priviledged information could be prevented by the blog site's owner.
Imagine you're reading a legitimate news article about your bank. However, a malicious "ad" appears on the right offering what looks like a direct login to your bank. If you mistakenly "log in" using the ad, your credentials could be submitted to the attacker. The news site could better protect you using HTML5 Sandbox in order to prevent the submission.
Try "logging in" to the fake malicious ad below. Then try it with Sandbox enabled.Sandbox Form Submission: ALLOWED
The fake ad above is attempting to redirect you to a fake malicious site (without you even clicking it).
HTML5 Sandbox is preventing it from doing so.
Try disabling sandbox to see how the ad could maliciously redirect you.Sandbox Page Redirection:
While not malicious, popups can be quite annoying. HTML5 Sandbox by default will prevent popups from occuring. Sometimes, however, popups are wanted. For example, below there is a Bing Maps control which offers popup windows to view bigger maps.
Authors can allow popups inside sandboxed content for scenarios like the one below.
By default, the links below won't work inside a Sandbox. Try enabling popups inside the Sandbox.
Hosting 3rd-party content on a site is very common: advertisements, blog comments, widgets, etc. Whenever such content is placed on a site, it puts the site at risk for attacks such as cross-site scripting (XSS), phishing, or information disclosure. It also puts the site at risk for non-malicious departures from the intended user experience like unwanted popups. Developers go to great lengths to attempt to lock down this content.
HTML5 Sandbox introduces new tools to help web developers further lock down such content. By placing the content in an iframe, the developer can specify the
sandbox attribute on the iframe to apply a set of basic security restrictions:
<iframe src="untrusted.html" sandbox></iframe>
- Plugins are disabled.
- Script execution is blocked.
- Form submission is blocked.
- The content is treated as if it was from a globally unique origin. Meaning, all APIs which require same-origin (such as localStorage, XMLHttpRequest, and access to the DOM of other documents) are blocked.
- The content is blocked from navigating the top level window or other frames on the page (excluding child frames of the sandboxed content).
- Popup windows are blocked.
Some of these default restrictions can be lifted by placing whitespace separated allow tokens in the attribute's value:
<iframe src="untrusted.html" sandbox="allow-scripts allow-forms"></iframe>
The above code applies all the restrictions listed above except script execution and form submission are allowed. The supported tokens are: