CSP Directive Proposal: Sandbox from Adam Barth on 2011-02-21 (public-web-security@w3.org from February 2011)

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 21 Feb 2011 02:38:24 -0800
To: public-web-security@w3.org
Message-ID: <AANLkTi=e+-onedydkmJKNz6MyVJDf_J35xs7JZ3bLxrP@mail.gmail.com>

I'd like to propose the following CSP directive:

Syntax:

directive-name = "sandbox"
directive-value = sandbox-policy

sandbox-policy = "" / sandbox-flag *( 1*LWS sandbox-flag )
sandbox-flag = "allow-same-origin" / "allow-top-navigation" /
"allow-forms" / "allow-scripts"

Semantics:

Essentially, the user agent would apply the same security rules from
<http://www.whatwg.org/specs/web-apps/current-work/#attr-iframe-sandbox>
(e.g., as if the document were contained in an iframe with the
corresponding sandbox attribute).

Example:

Content-Security-Policy: sandbox allow-scripts

This policy would allow the document to run scripts, but the document
would have a "unique origin" as its security context, so it wouldn't
be able to do things like access document.cookie or localStorage.

Thoughts?
Adam

Received on Monday, 21 February 2011 10:39:32 UTC