W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP Directive Proposal: Sandbox

From: gaz Heyes <gazheyes@gmail.com>
Date: Tue, 22 Feb 2011 08:52:14 +0000
Message-ID: <AANLkTi=g2LJUrA_PZJpGRgioVJrRmGboHrHWAU5sKfR2@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
On 22 February 2011 00:42, Adam Barth <w3c@adambarth.com> wrote:

> > 1. When sandbox kicks in, I get a unique origin right?
>
> Yes.
>

How does this unique origin work? I can't find it defined anywhere. I see a
couple of problems with it....

1. If the unique origin is defined in the url what happens when a link is
clicked, does it send the referrer?
2. If the unique origin is different than the URL itself then how can that
work since same origin policy will be broken
3. Lets say the unique origin uses the about protocol, is each unique
protocol classed as a separate domain on each browser, e.g. about:1, about:2
can you set cookies on about:1 then can be read by about:2
4. What if a sandbox allows JavaScript and the location is written
somewhere, would that expose the unique origin?
Received on Tuesday, 22 February 2011 08:52:46 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 22 February 2011 08:52:48 GMT