Re: CSP Directive Proposal: Sandbox from gaz Heyes on 2011-02-22 (public-web-security@w3.org from February 2011)

From: gaz Heyes <gazheyes@gmail.com>
Date: Tue, 22 Feb 2011 08:52:14 +0000
To: Adam Barth <w3c@adambarth.com>
Cc: "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
Message-ID: <AANLkTi=g2LJUrA_PZJpGRgioVJrRmGboHrHWAU5sKfR2@mail.gmail.com>

On 22 February 2011 00:42, Adam Barth <w3c@adambarth.com> wrote:

> > 1. When sandbox kicks in, I get a unique origin right?
>
> Yes.
>

How does this unique origin work? I can't find it defined anywhere. I see a
couple of problems with it....

1. If the unique origin is defined in the url what happens when a link is
clicked, does it send the referrer?
2. If the unique origin is different than the URL itself then how can that
work since same origin policy will be broken
3. Lets say the unique origin uses the about protocol, is each unique
protocol classed as a separate domain on each browser, e.g. about:1, about:2
can you set cookies on about:1 then can be read by about:2
4. What if a sandbox allows JavaScript and the location is written
somewhere, would that expose the unique origin?

Received on Tuesday, 22 February 2011 08:52:46 UTC