W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP Directive Proposal: Sandbox

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 21 Feb 2011 10:48:39 -0800
Message-ID: <AANLkTikwgN4oG70q8C9odjkH-PHtr9fK=5+RhoFX16iW@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: public-web-security@w3.org
On Mon, Feb 21, 2011 at 10:41 AM, gaz Heyes <gazheyes@gmail.com> wrote:
> On 21 February 2011 18:18, Adam Barth <w3c@adambarth.com> wrote:
>>
>> I'm not sure I understand.  Are you assuming that the document is
>> loaded in the top-most frame?
>
> Maybe we're talking about different things but if allow-top-navigation
> exists in the CSP policy then I assume by default it isn't allowed.

That's correct.  By default, the sandbox directive (and the sandbox
attribute of iframes) blocks top-level navigation from subframes.

> Therefore any clicks/redirections to a different domain with a new CSP
> policy that allows top redirects would break the policy of the original CSP
> server.

Ah, I understand your point.  That's true for some example, but not
true in general.  For example, sandbox policies, as defined by HTML5,
propagate to subframes.  Although the document with the CSP policy
could use something like meta-refresh to circumvent the navigation
restrictions, the documents contained in subframes would not be able
to do so.

Another point of view on this issue is that there's value in matching
HTML5's definition of "sandbox" rather than tinkering with it.

Adam
Received on Monday, 21 February 2011 18:49:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 21 February 2011 18:49:45 GMT