Bug 182248 - Supporting allow-top-navigation-by-user-activation to iframe sandbox
Summary: Supporting allow-top-navigation-by-user-activation to iframe sandbox
Status: RESOLVED WORKSFORME
Alias: None
Product: WebKit
Classification: Unclassified
Component: Frames (show other bugs)
Version: Safari Technology Preview
Hardware: All All
: P2 Major
Assignee: Nobody
URL:
Keywords: InRadar
Depends on: 171327
Blocks:
  Show dependency treegraph
 
Reported: 2018-01-29 09:20 PST by Derek Nicol
Modified: 2018-11-20 11:27 PST (History)
8 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Derek Nicol 2018-01-29 09:20:53 PST
There is an existing bug that was marked Resolved Fixed for this but in testing it doesn't look like this is working in any of the latest Safari Technology Preview and Stable builds for macos and ios. We've successfully tested this in Chrome and Opera.

Original Bug
https://bugs.webkit.org/show_bug.cgi?id=171327


We see it working in the following browsers
Chrome for desktop release 58
Chrome for Android release 58
Android WebView release 58
Opera release 45
Opera for Android release 45

Our Test Page for blocking a timed redirect which is what these malware/fraudster use in ad code.

http://rev.cbsi.com/corey/test/iframe/redirect/sandbox_allow-top-nav-by-user.html

We have the allow-top-navigation-by-user-activation enabled.

I marked this bug as major but this is increasingly becoming more and more feature needed to help combat the spread of malware/fraud. A good write up on the problem https://blog.confiant.com/uncovering-2017s-largest-malvertising-operation-b84cd38d6b85
Comment 1 Radar WebKit Bug Importer 2018-01-29 12:19:42 PST
<rdar://problem/36996598>
Comment 2 Augustine Fou 2018-02-01 10:29:18 PST
This is very important feature that publishers need to prevent the malicious redirects coming in through ad iframes. 

Publishers need this
https://www.admonsters.com/can-sandboxing-defeat-redirects/

As soon as this bug is fixed, publishers can sandbox their iframes but allow user-initiated actions (like clicks on ads that open new tabs or windows). This will prevent the forced redirects that may expose users to malware/malvertising.
Comment 3 Brent Fulgham 2018-02-05 12:44:35 PST
Frédérick: It looks like Bug 171327 didn't completely resolve this. Can you take a look?
Comment 4 Frédéric Wang (:fredw) 2018-02-05 13:24:28 PST
(In reply to Brent Fulgham from comment #3)
> Frédérick: It looks like Bug 171327 didn't completely resolve this. Can you
> take a look?

@Brent: I'll take a look tomorrow. Per bug 171327 comment 11, it seems it worked on Safari technology preview 40 but not in Safari 11. Probably Apple knows better when the patches have been / will be integrated in releases?
Comment 5 Brent Fulgham 2018-02-05 17:18:54 PST
(In reply to Frédéric Wang (:fredw) from comment #4)
> (In reply to Brent Fulgham from comment #3)
> > Frédérick: It looks like Bug 171327 didn't completely resolve this. Can you
> > take a look?
> 
> @Brent: I'll take a look tomorrow. Per bug 171327 comment 11, it seems it
> worked on Safari technology preview 40 but not in Safari 11. Probably Apple
> knows better when the patches have been / will be integrated in releases?

If it's still working in current STP, then I would expect it to be available in an upcoming release.

So, as long as it's working in current STP, it hasn't been regressed and it just hasn't been in the branch used for shipping Safari (yet).
Comment 6 Brent Fulgham 2018-02-05 17:20:56 PST
(In reply to Brent Fulgham from comment #5)
> (In reply to Frédéric Wang (:fredw) from comment #4)
> > (In reply to Brent Fulgham from comment #3)
> > > Frédérick: It looks like Bug 171327 didn't completely resolve this. Can you
> > > take a look?
> > 
> > @Brent: I'll take a look tomorrow. Per bug 171327 comment 11, it seems it
> > worked on Safari technology preview 40 but not in Safari 11. Probably Apple
> > knows better when the patches have been / will be integrated in releases?
> 
> If it's still working in current STP, then I would expect it to be available
> in an upcoming release.
> 
> So, as long as it's working in current STP, it hasn't been regressed and it
> just hasn't been in the branch used for shipping Safari (yet).

For example, someone could try it in the Developer Seed published a week or so ago. That's the best metric for when you might expect to see it released.
Comment 7 Frédéric Wang (:fredw) 2018-02-06 01:55:01 PST
(In reply to Brent Fulgham from comment #6)
> > If it's still working in current STP, then I would expect it to be available
> > in an upcoming release.
> > 
> > So, as long as it's working in current STP, it hasn't been regressed and it
> > just hasn't been in the branch used for shipping Safari (yet).
> 
> For example, someone could try it in the Developer Seed published a week or
> so ago. That's the best metric for when you might expect to see it released.

So I just tested the following pages:

- WPT test (allow user navigation) http://w3c-test.org/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_allow_top_navigation_by_user_activation-manual.html (it's manual, you must click the 'navigate the top page' to check the result)
- WPT test (forbid automatic navigation) http://w3c-test.org/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_allow_top_navigation_by_user_activation_without_user_gesture.html
- WebKit demos (several manual tests) https://webkit.org/demos/frames/sandboxing/
- Reporter's demo: http://rev.cbsi.com/corey/test/iframe/redirect/sandbox_allow-top-nav-by-user.html

All of them work for me with Safari Tech Preview 48 on macOS (note that you may need to go to Safari's security preference in order to allow popups). With the latest Safari release (11.0.3) allow-top-navigation-by-user-activation does not have any effect so the fix has not been integrated yet.

Regarding Derek's test case, I understand that automatic redirect/popup should be blocked while top/parent/blank navigation by user click should work. This is what happens with Safari Tech Preview 48, except that the _blank popup is blocked (adding the allow-popups flag does allow such a popup). Chrome 64 behaves the same.
Comment 8 Derek Nicol 2018-02-06 08:36:27 PST
Thanks for the update, we will test on our side with Preview 48.  Perhaps there is a doc some where on this but do we know how this would fork over the safari on ios? I assume thats an apple question.
Comment 9 Frédéric Wang (:fredw) 2018-02-06 09:08:30 PST
(In reply to Derek Nicol from comment #8)
> Thanks for the update, we will test on our side with Preview 48.

Thanks.

>  Perhaps there is a doc some where on this but do we know how this would fork over
> the safari on ios? I assume thats an apple question.

Yes, there is a doc but I'm afraid it does not help: https://trac.webkit.org/wiki/FAQ#WillfeatureXXXbeincludedinthenextreleaseofSafari ;-)
Comment 10 Brent Fulgham 2018-02-07 09:14:52 PST
Apple does not comment on the content of future releases. However, I encourage you to try the current public beta <https://beta.apple.com/sp/betaprogram/> to see if your problem has been resolved.
Comment 11 Frédéric Wang (:fredw) 2018-03-30 12:12:57 PDT
@Derek: I just tested with the latest releases of iOS and macOS and the allow-top-navigation-by-user-activation works for me using the tests from comment 7. See also my comment about your test case.
Comment 12 Frédéric Wang (:fredw) 2018-06-25 08:53:35 PDT
(In reply to Derek Nicol from comment #8)
> Thanks for the update, we will test on our side with Preview 48.  Perhaps
> there is a doc some where on this but do we know how this would fork over
> the safari on ios? I assume thats an apple question.

@Derek: Any update on this?
Comment 13 Frédéric Wang (:fredw) 2018-11-20 11:27:56 PST
Resolving per comment 11.