diff --git a/iframe-sandbox/README.md b/iframe-sandbox/README.md
index 6c9baa378..d317f4044 100644
--- a/iframe-sandbox/README.md
+++ b/iframe-sandbox/README.md
@@ -10,19 +10,12 @@ a sandboxed iframe to execute arbitrary code.
## Goals
To run untrusted code within an iframe, with the ability to communicate with
-host to read, write, and subscribe to values in a key value store.
-
-Code within an iframe **MUST NOT** be able to communicate with any third party.
-
-For example, private data could be added to query parameters in a background
-image or JS module URL.
-
-In the future, there could be verified authors and domains per frame.
+host to read, write, and subscribe to values in a key value store, not allowing
+code to communicate with any external third party.
> [!CAUTION]
-> During experimental development, there are currently hardcoded CDNs that are
-> accessible in the iframe context. Data could be exfiltrated this way to those
-> CDNs.
+> During experimental development, there are intentional gaps in the sandboxing
+> to enable product features where data within the sandbox may be exfiltrated.
## Usage
@@ -70,9 +63,11 @@ frame that propagates to the inner (untrusted) frame across browsers.
## Incomplete Security Considerations
-- Currently, the hardcoded CDNs (and their logging services) **MAY** receive
- exfiltrated data. We should only allow 1P mediated communications in the
- future.
+Some of these are shortcomings of implementation, and some are intentional
+product decisisons during experimentation.
+
+- Hardcoded CDNs (and their logging services) are an exfiltration vector.
+- Allowing anchor elements with `target="_blank"` is an exfiltration vector.
- `document.baseURI` is accessible in an iframe, leaking the parent URL
- Currently without CFC, data can be written in the iframe containing other
sensitive data, or newly synthesized fingerprinting via capabilities
diff --git a/iframe-sandbox/src/common-iframe-sandbox.ts b/iframe-sandbox/src/common-iframe-sandbox.ts
index 37e7ac2c4..16cfda940 100644
--- a/iframe-sandbox/src/common-iframe-sandbox.ts
+++ b/iframe-sandbox/src/common-iframe-sandbox.ts
@@ -498,7 +498,7 @@ export class CommonIframeSandboxElement extends LitElement {
element
diff --git a/iframe-sandbox/src/outer-frame.ts b/iframe-sandbox/src/outer-frame.ts
index a2d97489f..d51e506fc 100644
--- a/iframe-sandbox/src/outer-frame.ts
+++ b/iframe-sandbox/src/outer-frame.ts
@@ -4,8 +4,8 @@ export default `
-
-
foo
`,
@@ -78,6 +88,10 @@ const cases = [[
"allows 1P img",
``,
null,
+], [
+ "allows data: img",
+ ``,
+ null,
], [
"allows 1P CSS",
``,
@@ -98,6 +112,18 @@ const cases = [[
"disallows opening windows (_top)",
openWindow("_top"),
null,
+], [
+ "disallows anchor link target (_parent)",
+ clickAnchor("_parent"),
+ null,
+], [
+ "disallows anchor link target (_self)",
+ clickAnchor("_self"),
+ null,
+], [
+ "disallows anchor link target (_top)",
+ clickAnchor("_top"),
+ null,
], [
"disallows fetch",
``,
@@ -161,6 +187,15 @@ const falseNegatives = [[
"CSP:default-src",
]];
+// /!\ These tests do not report correctly.
+// /!\ Not sure why! But they appear to be allowed
+// /!\ but are not in practice.
+const falsePositives = [[
+ "Allows anchor link target (_blank)",
+ clickAnchor("_blank"),
+ null,
+]];
+
const unknownStatuses = [
[
// `prerender` is a Chrome-only feature-flagged
@@ -178,6 +213,9 @@ for (const [name, html, expected] of cases) {
for (const [name, html, expected] of falseNegatives) {
definePending(name, html, expected);
}
+for (const [name, html, expected] of falsePositives) {
+ definePending(name, html, expected);
+}
for (const [name, html, expected] of unknownStatuses) {
definePending(name, html, expected);
}
`,
null,
+], [
+ "allows data: img",
+ `