W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP Directive Proposal: Sandbox

From: <sird@rckc.at>
Date: Mon, 21 Feb 2011 16:37:39 -0800
Message-ID: <AANLkTinQ+SrCCzwb_1Xxxy+zK6O_kqpHBFcr-q9RLc+p@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: gaz Heyes <gazheyes@gmail.com>, public-web-security@w3.org
So, the moment I say "sandbox", I get several new restrictions that I
wasn't expecting:

1. When sandbox kicks in, I get a unique origin right?

2.  If I want to use a sandbox rule, such as.. allow-top-navigation, I
will have to do "allow-forms" as well, or mysteriously, my forms will
stop working.

3. If I want to use allow-top-navigation and allow Flash, how can I do
that? With CSP alone, I can.. but if you add sandbox, then there's no

Anyways, I'm not saying it's bad idea, I like it.. it's just that it
may get so complicated to get right, that no one will end up using it.


-- Eduardo

On Mon, Feb 21, 2011 at 12:20 PM, Adam Barth <w3c@adambarth.com> wrote:
> On Mon, Feb 21, 2011 at 11:38 AM, sird@rckc.at <sird@rckc.at> wrote:
>> Oh btw, regarding this idea of putting sandbox in a CSP rule.
>> I like it. But I would have preferred if it was the other way around..
>> And let a sandboxed iframe to have CSP rules.
>> Either way, If we have:
>> CSP: sandbox;script-src http://*.google.com
>> What will happen? The rules conflict with each other. I know the
>> answer will be, that no scripts will be allowed.. but that's counter
>> intuitive..
> It seems relatively intuitive.  Just think of each CSP directive as
> forbidding things.  Then it's easy to understand how the directives
> combine.
>> What about
>> CSP: sandbox allow-scripts;
>> Then script-src and inline-script rules are useless?
> The script-src and inline-script directives still work fine in that
> scenario.  Keep in mind that we need to have the interaction between
> CSP and iframe@sandbox be well-defined and sensible because they're
> already easy to combine even without the sandbox directive in CSP.
> Adam
>> On Mon, Feb 21, 2011 at 11:33 AM, gaz Heyes <gazheyes@gmail.com> wrote:
>>> On 21 February 2011 19:21, sird@rckc.at <sird@rckc.at> wrote:
>>>> Would be cool if we had a "disallow-navigation" rule which disallow's
>>>> the user to navigate to any links.
>>> +1
>>> Same domain navigations restrictions would be awesome
Received on Tuesday, 22 February 2011 00:38:32 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:18 UTC