W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP Directive Proposal: Sandbox

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 21 Feb 2011 12:20:02 -0800
Message-ID: <AANLkTinjnVxDL4tBXbJFyZod4VvqaDjtGuEPB1gHxBdd@mail.gmail.com>
To: "sird@rckc.at" <sird@rckc.at>
Cc: gaz Heyes <gazheyes@gmail.com>, public-web-security@w3.org
On Mon, Feb 21, 2011 at 11:38 AM, sird@rckc.at <sird@rckc.at> wrote:
> Oh btw, regarding this idea of putting sandbox in a CSP rule.
>
> I like it. But I would have preferred if it was the other way around..
> And let a sandboxed iframe to have CSP rules.
>
> Either way, If we have:
>
> CSP: sandbox;script-src http://*.google.com
>
> What will happen? The rules conflict with each other. I know the
> answer will be, that no scripts will be allowed.. but that's counter
> intuitive..

It seems relatively intuitive.  Just think of each CSP directive as
forbidding things.  Then it's easy to understand how the directives
combine.

> What about
>
> CSP: sandbox allow-scripts;
>
> Then script-src and inline-script rules are useless?

The script-src and inline-script directives still work fine in that
scenario.  Keep in mind that we need to have the interaction between
CSP and iframe@sandbox be well-defined and sensible because they're
already easy to combine even without the sandbox directive in CSP.

Adam


> On Mon, Feb 21, 2011 at 11:33 AM, gaz Heyes <gazheyes@gmail.com> wrote:
>> On 21 February 2011 19:21, sird@rckc.at <sird@rckc.at> wrote:
>>>
>>> Would be cool if we had a "disallow-navigation" rule which disallow's
>>> the user to navigate to any links.
>>
>> +1
>>
>> Same domain navigations restrictions would be awesome
>>
>
Received on Monday, 21 February 2011 20:21:12 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 21 February 2011 20:21:12 GMT