W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP Directive Proposal: Sandbox

From: <sird@rckc.at>
Date: Mon, 21 Feb 2011 11:38:19 -0800
Message-ID: <AANLkTikuVU25rTcuZx7F9_MbVg6brrw0NC1ZSY-C_yVE@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: Adam Barth <w3c@adambarth.com>, public-web-security@w3.org
Oh btw, regarding this idea of putting sandbox in a CSP rule.

I like it. But I would have preferred if it was the other way around..
And let a sandboxed iframe to have CSP rules.

Either way, If we have:

CSP: sandbox;script-src http://*.google.com

What will happen? The rules conflict with each other. I know the
answer will be, that no scripts will be allowed.. but that's counter
intuitive.. What about

CSP: sandbox allow-scripts;

Then script-src and inline-script rules are useless?

Greetings!!
-- Eduardo




On Mon, Feb 21, 2011 at 11:33 AM, gaz Heyes <gazheyes@gmail.com> wrote:
> On 21 February 2011 19:21, sird@rckc.at <sird@rckc.at> wrote:
>>
>> Would be cool if we had a "disallow-navigation" rule which disallow's
>> the user to navigate to any links.
>
> +1
>
> Same domain navigations restrictions would be awesome
>
Received on Monday, 21 February 2011 19:39:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 21 February 2011 19:39:13 GMT