Sandboxing of iframe tags and asynchronous tags

[Zer0Divis0r]

The problem of malvertising is becoming bigger issue all the time. I'd suggest adding an option to sandbox iframe tags, so that the stuff that runs in iframe would not be able to:

• perform top-window redirects
• run javascript (serve static HTML only)
• open any new windows (not clickable banner, branded advertising, for example)
• prevent content from using plugins (eg. if you want to block video when you sell placement for HTML ads only)
• access publishers cookies

This is just the list of most basic limitations. Obviously, sandboxing should be very well documented to avoid confusion about things that would certainly not work. For example, video autoplay, access to window.top.location.href (and advise to use window.location.ancestorOrigins), etc.

I am sure that there is a wide range of measures that can be taken to secure asynchronous tags as well, since they also utilize iframes.

Also, installing Revive Adserver in a completely different TLD and using iframes can be a good security advise, since cross-origin iframes natively have good security limitations (CORS).

[jonas-eberle]

Has anyone tested the use of the HTML5 sandbox attribute? Sounds suitable for this:
https://www.w3schools.com/tags/att_iframe_sandbox.asp

[Zer0Divis0r]

Yes. The list of sandboxing options I have suggested reflects available values of the sandbox HTML5 attribute.

[Zer0Divis0r]

From my very recent experience, the sandboxing should be expanded far beyond just "sandbox" iframe attribute. An iab-compliant sandbox should be implemented in Revive, otherwise it leaves websites vulnerable to, for example. malicious redirects that can arrive from third-party ad tags.
This would also require from administrator to provide a separate domain that would serve the sandbox HTML code.