W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

CSP Directive Proposal: Sandbox

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 21 Feb 2011 02:38:24 -0800
Message-ID: <AANLkTi=e+-onedydkmJKNz6MyVJDf_J35xs7JZ3bLxrP@mail.gmail.com>
To: public-web-security@w3.org
I'd like to propose the following CSP directive:


directive-name = "sandbox"
directive-value = sandbox-policy

sandbox-policy = "" / sandbox-flag *( 1*LWS sandbox-flag )
sandbox-flag = "allow-same-origin" / "allow-top-navigation" /
"allow-forms" / "allow-scripts"


Essentially, the user agent would apply the same security rules from
(e.g., as if the document were contained in an iframe with the
corresponding sandbox attribute).


Content-Security-Policy: sandbox allow-scripts

This policy would allow the document to run scripts, but the document
would have a "unique origin" as its security context, so it wouldn't
be able to do things like access document.cookie or localStorage.

Received on Monday, 21 February 2011 10:39:32 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:18 UTC