InformAction Forums

Currently the ABE Sandbox action breaks many web pages because it indiscriminately blocks all frames and iframes, even those loading content from the same site as their parent.
Is there a security reason for this behaviour? Otherwise, a configuration option to allow same-site (i)frames would make ABE Sandbox rules much more useful.

Particular sites where this happens?
Particular rules that you are using?

therube wrote:Particular sites where this happens?

http://krautchan.net/

therube wrote:Particular rules that you are using?

Site krautchan.net
Sandbox

krautchan.net ist just an example - any ABE sandboxed frameset page will appear empty, frame content source doesn't matter.

I'm thinking that Sandbox was probably intended originally as an XSS defence. In which case, the site is potentially compromised and scripts coming from it shouldn't be automatically trusted.

Thrawn wrote:I'm thinking that Sandbox was probably intended originally as an XSS defence. In which case, the site is potentially compromised and scripts coming from it shouldn't be automatically trusted.

Sandbox filtering scripts and other active contents - including third-party (i)frames - is reasonable, but blocking content from the same site just because it would load in an (i)frame doesn't make sense to me.

Do you understand the idea of cross-site scripting?

Thrawn wrote:Do you understand the idea of cross-site scripting?

So the best solution would be an about:config preference similar to noscript.forbidIFramesContext but for the ABE Sandbox.