Bug 182248

<rdar://problem/36996598>

This is very important feature that publishers need to prevent the malicious redirects coming in through ad iframes. Publishers need this https://www.admonsters.com/can-sandboxing-defeat-redirects/ As soon as this bug is fixed, publishers can sandbox their iframes but allow user-initiated actions (like clicks on ads that open new tabs or windows). This will prevent the forced redirects that may expose users to malware/malvertising.

Frédérick: It looks like Bug 171327 didn't completely resolve this. Can you take a look?

(In reply to Brent Fulgham from comment #3) > Frédérick: It looks like Bug 171327 didn't completely resolve this. Can you > take a look? @Brent: I'll take a look tomorrow. Per bug 171327 comment 11, it seems it worked on Safari technology preview 40 but not in Safari 11. Probably Apple knows better when the patches have been / will be integrated in releases?

(In reply to Frédéric Wang (:fredw) from comment #4) > (In reply to Brent Fulgham from comment #3) > > Frédérick: It looks like Bug 171327 didn't completely resolve this. Can you > > take a look? > > @Brent: I'll take a look tomorrow. Per bug 171327 comment 11, it seems it > worked on Safari technology preview 40 but not in Safari 11. Probably Apple > knows better when the patches have been / will be integrated in releases? If it's still working in current STP, then I would expect it to be available in an upcoming release. So, as long as it's working in current STP, it hasn't been regressed and it just hasn't been in the branch used for shipping Safari (yet).

(In reply to Brent Fulgham from comment #5) > (In reply to Frédéric Wang (:fredw) from comment #4) > > (In reply to Brent Fulgham from comment #3) > > > Frédérick: It looks like Bug 171327 didn't completely resolve this. Can you > > > take a look? > > > > @Brent: I'll take a look tomorrow. Per bug 171327 comment 11, it seems it > > worked on Safari technology preview 40 but not in Safari 11. Probably Apple > > knows better when the patches have been / will be integrated in releases? > > If it's still working in current STP, then I would expect it to be available > in an upcoming release. > > So, as long as it's working in current STP, it hasn't been regressed and it > just hasn't been in the branch used for shipping Safari (yet). For example, someone could try it in the Developer Seed published a week or so ago. That's the best metric for when you might expect to see it released.

(In reply to Brent Fulgham from comment #6) > > If it's still working in current STP, then I would expect it to be available > > in an upcoming release. > > > > So, as long as it's working in current STP, it hasn't been regressed and it > > just hasn't been in the branch used for shipping Safari (yet). > > For example, someone could try it in the Developer Seed published a week or > so ago. That's the best metric for when you might expect to see it released. So I just tested the following pages: - WPT test (allow user navigation) http://w3c-test.org/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_allow_top_navigation_by_user_activation-manual.html (it's manual, you must click the 'navigate the top page' to check the result) - WPT test (forbid automatic navigation) http://w3c-test.org/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_allow_top_navigation_by_user_activation_without_user_gesture.html - WebKit demos (several manual tests) https://webkit.org/demos/frames/sandboxing/ - Reporter's demo: http://rev.cbsi.com/corey/test/iframe/redirect/sandbox_allow-top-nav-by-user.html All of them work for me with Safari Tech Preview 48 on macOS (note that you may need to go to Safari's security preference in order to allow popups). With the latest Safari release (11.0.3) allow-top-navigation-by-user-activation does not have any effect so the fix has not been integrated yet. Regarding Derek's test case, I understand that automatic redirect/popup should be blocked while top/parent/blank navigation by user click should work. This is what happens with Safari Tech Preview 48, except that the _blank popup is blocked (adding the allow-popups flag does allow such a popup). Chrome 64 behaves the same.

Thanks for the update, we will test on our side with Preview 48. Perhaps there is a doc some where on this but do we know how this would fork over the safari on ios? I assume thats an apple question.

(In reply to Derek Nicol from comment #8) > Thanks for the update, we will test on our side with Preview 48. Thanks. > Perhaps there is a doc some where on this but do we know how this would fork over > the safari on ios? I assume thats an apple question. Yes, there is a doc but I'm afraid it does not help: https://trac.webkit.org/wiki/FAQ#WillfeatureXXXbeincludedinthenextreleaseofSafari ;-)

Apple does not comment on the content of future releases. However, I encourage you to try the current public beta <https://beta.apple.com/sp/betaprogram/> to see if your problem has been resolved.

@Derek: I just tested with the latest releases of iOS and macOS and the allow-top-navigation-by-user-activation works for me using the tests from comment 7. See also my comment about your test case.

(In reply to Derek Nicol from comment #8) > Thanks for the update, we will test on our side with Preview 48. Perhaps > there is a doc some where on this but do we know how this would fork over > the safari on ios? I assume thats an apple question. @Derek: Any update on this?

Resolving per comment 11.