W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: Content Security Policy and iframe@sandbox

From: gaz Heyes <gazheyes@gmail.com>
Date: Mon, 14 Feb 2011 10:20:04 +0000
Message-ID: <AANLkTimixyX+ZUOxy7X+L1m6CLdivHO7xJ2+xukAbu0r@mail.gmail.com>
To: "sird@rckc.at" <sird@rckc.at>
Cc: Adam Barth <w3c@adambarth.com>, "Steingruebl, Andy" <asteingruebl@paypal-inc.com>, "public-web-security@w3.org" <public-web-security@w3.org>
On 13 February 2011 21:54, sird@rckc.at <sird@rckc.at> wrote:

> Yeah, that's why it should be same origin.
> The attacker can't do anything new if it's locked to same origin.

What's locked to same origin? The attribute policy? The ability to modify
the policy is also an attack vector, if this was ever a true sandbox giving
the attacker to modify the behaviour on the page would be a really bad idea
IMO. If external domains couldn't create policies using iframes then I guess
that would be ok although I would think it would be kinda pointless as sub
domain are often used to separate sandboxed content.
Received on Monday, 14 February 2011 10:20:37 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:18 UTC