Re: CSP Directive Proposal: Sandbox from Adam Barth on 2011-02-22 (public-web-security@w3.org from February 2011)

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 21 Feb 2011 16:42:25 -0800
To: "sird@rckc.at" <sird@rckc.at>
Cc: gaz Heyes <gazheyes@gmail.com>, public-web-security@w3.org
Message-ID: <AANLkTikTAVJ7LWFZRheM7pT-w1+SB+XMjWUuVOn-SVDN@mail.gmail.com>

On Mon, Feb 21, 2011 at 4:37 PM, sird@rckc.at <sird@rckc.at> wrote:
> So, the moment I say "sandbox", I get several new restrictions that I
> wasn't expecting:

That depends on what you're expecting.  :)

> 1. When sandbox kicks in, I get a unique origin right?

Yes.

> 2.  If I want to use a sandbox rule, such as.. allow-top-navigation, I
> will have to do "allow-forms" as well, or mysteriously, my forms will
> stop working.

Yes.

> 3. If I want to use allow-top-navigation and allow Flash, how can I do
> that? With CSP alone, I can.. but if you add sandbox, then there's no
> way.

That's correct.  Using sandbox blocks all plugins.  Currently, there
is no way to re-enable plugins inside an HTML sandbox.  We hope to
improve that situation in the future by coordinating with plugin
vendors.  When that's ready, we'll add an allow-plugins policy that
turns on plugins that understand the HTML sandbox.

> Anyways, I'm not saying it's bad idea, I like it.. it's just that it
> may get so complicated to get right, that no one will end up using it.

It works exactly the same as the sandbox attribute on iframes.  It's
not any more or less complicated or surprising than that.

Adam


> On Mon, Feb 21, 2011 at 12:20 PM, Adam Barth <w3c@adambarth.com> wrote:
>> On Mon, Feb 21, 2011 at 11:38 AM, sird@rckc.at <sird@rckc.at> wrote:
>>> Oh btw, regarding this idea of putting sandbox in a CSP rule.
>>>
>>> I like it. But I would have preferred if it was the other way around..
>>> And let a sandboxed iframe to have CSP rules.
>>>
>>> Either way, If we have:
>>>
>>> CSP: sandbox;script-src http://*.google.com
>>>
>>> What will happen? The rules conflict with each other. I know the
>>> answer will be, that no scripts will be allowed.. but that's counter
>>> intuitive..
>>
>> It seems relatively intuitive.  Just think of each CSP directive as
>> forbidding things.  Then it's easy to understand how the directives
>> combine.
>>
>>> What about
>>>
>>> CSP: sandbox allow-scripts;
>>>
>>> Then script-src and inline-script rules are useless?
>>
>> The script-src and inline-script directives still work fine in that
>> scenario.  Keep in mind that we need to have the interaction between
>> CSP and iframe@sandbox be well-defined and sensible because they're
>> already easy to combine even without the sandbox directive in CSP.
>>
>> Adam
>>
>>
>>> On Mon, Feb 21, 2011 at 11:33 AM, gaz Heyes <gazheyes@gmail.com> wrote:
>>>> On 21 February 2011 19:21, sird@rckc.at <sird@rckc.at> wrote:
>>>>>
>>>>> Would be cool if we had a "disallow-navigation" rule which disallow's
>>>>> the user to navigate to any links.
>>>>
>>>> +1
>>>>
>>>> Same domain navigations restrictions would be awesome
>>>>
>>>
>>
>

Received on Tuesday, 22 February 2011 00:43:28 UTC