You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The problem of malvertising is becoming bigger issue all the time. I'd suggest adding an option to sandbox iframe tags, so that the stuff that runs in iframe would not be able to:
perform top-window redirects
run javascript (serve static HTML only)
open any new windows (not clickable banner, branded advertising, for example)
prevent content from using plugins (eg. if you want to block video when you sell placement for HTML ads only)
access publishers cookies
This is just the list of most basic limitations. Obviously, sandboxing should be very well documented to avoid confusion about things that would certainly not work. For example, video autoplay, access to window.top.location.href (and advise to use window.location.ancestorOrigins), etc.
I am sure that there is a wide range of measures that can be taken to secure asynchronous tags as well, since they also utilize iframes.
Also, installing Revive Adserver in a completely different TLD and using iframes can be a good security advise, since cross-origin iframes natively have good security limitations (CORS).
The text was updated successfully, but these errors were encountered:
Zer0Divis0r
changed the title
Feature request: sandboxing of iframe tags
Feature request: sandboxing of iframe tags and asynchronous tags
Jan 29, 2017
erikgeurts
changed the title
Feature request: sandboxing of iframe tags and asynchronous tags
Sandboxing of iframe tags and asynchronous tags
Jan 30, 2017
From my very recent experience, the sandboxing should be expanded far beyond just "sandbox" iframe attribute. An iab-compliant sandbox should be implemented in Revive, otherwise it leaves websites vulnerable to, for example. malicious redirects that can arrive from third-party ad tags.
This would also require from administrator to provide a separate domain that would serve the sandbox HTML code.
The problem of malvertising is becoming bigger issue all the time. I'd suggest adding an option to sandbox iframe tags, so that the stuff that runs in iframe would not be able to:
This is just the list of most basic limitations. Obviously, sandboxing should be very well documented to avoid confusion about things that would certainly not work. For example, video autoplay, access to
window.top.location.href
(and advise to usewindow.location.ancestorOrigins
), etc.I am sure that there is a wide range of measures that can be taken to secure asynchronous tags as well, since they also utilize iframes.
Also, installing Revive Adserver in a completely different TLD and using iframes can be a good security advise, since cross-origin iframes natively have good security limitations (CORS).
The text was updated successfully, but these errors were encountered: