Block external protocol handler with sandboxed iframes

ArthurSonzogni · web-flow · commit dbdc4bdac2de · 2021-10-15T13:11:34.000-04:00
Closes #2191.
diff --git a/source b/source
@@ -86739,8 +86739,8 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
      is neither "<code data-x="javascript protocol">javascript</code>" nor a <span>fetch
      scheme</span></dt>
      <dd><p>Run <span>process a navigate URL scheme</span> given <var>resource</var>'s <span
-     data-x="concept-request-url">URL</span>, <var>browsingContext</var>, and
-     <var>hasTransientActivation</var>.</p></dd>
+     data-x="concept-request-url">URL</span>, <var>browsingContext</var>, <var>sandboxFlags</var>,
+     and <var>hasTransientActivation</var>.</p></dd>
     </dl>
    </li>
   </ol>
@@ -87012,8 +87012,8 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
    error</span>.</p></li>
 
    <li><p>Otherwise, if <var>locationURL</var> is a <span>URL</span>, then <span>process a navigate
-   URL scheme</span> given <var>locationURL</var>, <var>browsingContext</var>, and
-   <var>hasTransientActivation</var>, and return.</p></li>
+   URL scheme</span> given <var>locationURL</var>, <var>browsingContext</var>,
+   <var>sandboxFlags</var>, and <var>hasTransientActivation</var>, and return.</p></li>
 
    <li><p>Let <var>responsePolicyContainer</var> be the result of <span>creating a policy container
    from a fetch response</span> given <var>response</var> and <var>request</var>'s <span
@@ -87222,22 +87222,24 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
    <li><p>Otherwise, the document's <var>type</var> is such that the resource will not affect
    <var>browsingContext</var>, e.g., because the resource is to be handed to an external application
    or because it is an unknown type that will be processed <span>as a download</span>.
-   <span>Hand-off to external software</span> given <var>response</var> and
-   <var>hasTransientActivation</var>.</p></li>
+   <span>Hand-off to external software</span> given <var>response</var>, <var>browsingContext</var>,
+   <var>navigationParams</var>'s <span data-x="navigation-params-sandboxing">final sandboxing flag
+   set</span>, and <var>hasTransientActivation</var>.</p></li>
 
    <!-- It's unclear what integration points with external spces should exist for the last two cases.
    Maybe it's enough to handle them as downloads? -->
   </ol>
 
   <p>To <dfn>process a navigate URL scheme</dfn>, given a <span>URL</span> <var>url</var>, a
-  <span>browsing context</span> <var>browsingContext</var>, and a boolean
-  <var>hasTransientActivation</var>:</p>
+  <span>browsing context</span> <var>browsingContext</var>, a <span>sandboxing flag set</span>
+  <var>sandboxFlags</var>, and a boolean <var>hasTransientActivation</var>:</p>
 
   <ol>
    <li><p>If <var>url</var> is to be handled using a mechanism that does not affect
    <var>browsingContext</var>, e.g., because <var>url</var>'s <span
    data-x="concept-url-scheme">scheme</span> is handled externally, then <span>hand-off to external
-   software</span> given <var>url</var> and <var>hasTransientActivation</var>.</p></li>
+   software</span> given <var>url</var>, <var>browsingContext</var>, <var>sandboxFlags</var>, and
+   <var>hasTransientActivation</var>.</p></li>
 
    <li>
     <p>Otherwise, <var>url</var> is to be handled by displaying some sort of inline content, e.g.,
@@ -87252,17 +87254,48 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
   </ol>
 
   <p>To <dfn>hand-off to external software</dfn> given a <span>URL</span> or <span
-  data-x="concept-response">response</span> <var>resource</var> and a boolean
-  <var>hasTransientActivation</var>, user agents should perform the appropriate handoff of
-  <var>resource</var> while attempting to mitigate the risk that this is an attempt to exploit the
-  target software. For example, user agents could prompt the user to confirm that the <span>source
-  browsing context</span>'s <span>active document</span>'s <span
-  data-x="concept-document-origin">origin</span> is to be allowed to invoke the external software in
-  question. In particular, if <var>hasTransientActivation</var> is false, then the user agent should
-  not invoke the external software package without prior user confirmation.</p>
-
-  <p class="example">For example, there could be a vulnerability in the target software's URL
-  handler which a hostile page would attempt to exploit by tricking a user into clicking a link.</p>
+  data-x="concept-response">response</span> <var>resource</var>, a <span>browsing context</span>
+  <var>browsingContext</var>, a <span>sandboxing flag set</span> <var>sandboxFlags</var>, and a
+  boolean <var>hasTransientActivation</var>, user agents should:</p>
+
+  <ol>
+   <li>
+    <p>If <var>browsingContext</var> is not a <span>top-level browsing context</span>, and none
+    of:</p>
+
+    <ul>
+     <li><p><var>sandboxFlags</var> contains the <code
+     data-x="attr-iframe-sandbox-allow-top-navigation-by-user-activation">allow-top-navigation-by-user-activation</code>
+     token and <var>hasTransientActivation</var> is true</p></li>
+
+     <li><p><var>sandboxFlags</var> contains the <code
+     data-x="attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</code> token</p></li>
+
+     <li><p><var>sandboxFlags</var> contains the <code
+     data-x="attr-iframe-sandbox-allow-popups">allow-popups</code> token</p></li>
+    </ul>
+
+    <p>hold, then return without invoking the external software package.</p>
+
+    <p class="note">Navigation inside an iframe toward external software can be seen by users as a
+    new popup or a new top-level navigation. Therefore, we enforcing sandbox flags
+    appropriately.</p>
+   </li>
+
+   <li>
+    <p>Perform the appropriate handoff of <var>resource</var> while attempting to mitigate the risk
+    that this is an attempt to exploit the target software. For example, user agents could prompt
+    the user to confirm that the <span>source browsing context</span>'s <span>active
+    document</span>'s <span data-x="concept-document-origin">origin</span> is to be allowed to
+    invoke the external software in question. In particular, if <var>hasTransientActivation</var> is
+    false, then the user agent should not invoke the external software package without prior user
+    confirmation.</p>
+
+    <p class="example">For example, there could be a vulnerability in the target software's URL
+    handler which a hostile page would attempt to exploit by tricking a user into clicking a
+    link.</p>
+   </li>
+  </ol>
 
   <p>To <dfn data-x="javascript protocol">execute a <code>javascript:</code> URL request</dfn>,
   given a <span data-x="concept-request">request</span> <var>request</var>, a <span>browsing
@@ -126429,6 +126462,7 @@ INSERT INTERFACES HERE
   Arne Thomassen,
   Aron Spohr,
   Arphen Lin,
+  Arthur Sonzogni, <!-- ArthurSonzogni on GitHub -->
   Arthur Stolyar,
   Arun Patole,
   Aryeh Gregor,
