W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: Content Security Policy and iframe@sandbox

From: gaz Heyes <gazheyes@gmail.com>
Date: Mon, 14 Feb 2011 10:20:04 +0000
Message-ID: <AANLkTimixyX+ZUOxy7X+L1m6CLdivHO7xJ2+xukAbu0r@mail.gmail.com>
To: "sird@rckc.at" <sird@rckc.at>
Cc: Adam Barth <w3c@adambarth.com>, "Steingruebl, Andy" <asteingruebl@paypal-inc.com>, "public-web-security@w3.org" <public-web-security@w3.org>
On 13 February 2011 21:54, sird@rckc.at <sird@rckc.at> wrote:

> Yeah, that's why it should be same origin.
>
> The attacker can't do anything new if it's locked to same origin.
>

What's locked to same origin? The attribute policy? The ability to modify
the policy is also an attack vector, if this was ever a true sandbox giving
the attacker to modify the behaviour on the page would be a really bad idea
IMO. If external domains couldn't create policies using iframes then I guess
that would be ok although I would think it would be kinda pointless as sub
domain are often used to separate sandboxed content.
Received on Monday, 14 February 2011 10:20:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 14 February 2011 10:20:38 GMT