W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP Directive Proposal: Sandbox

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 22 Feb 2011 01:01:11 -0800
Message-ID: <AANLkTik-NL1i=q3=op0KmBq+ydGf6xaA8Sco6odngb3T@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
On Tue, Feb 22, 2011 at 12:52 AM, gaz Heyes <gazheyes@gmail.com> wrote:
> On 22 February 2011 00:42, Adam Barth <w3c@adambarth.com> wrote:
>> > 1. When sandbox kicks in, I get a unique origin right?
>>
>> Yes.
>
> How does this unique origin work? I can't find it defined anywhere.

It's defined in HTML5.

> I see a couple of problems with it....
>
> 1. If the unique origin is defined in the url what happens when a link is
> clicked, does it send the referrer?

It does send the Referer.

> 2. If the unique origin is different than the URL itself then how can that
> work since same origin policy will be broken

The same-origin policy is not broken.

> 3. Lets say the unique origin uses the about protocol, is each unique
> protocol classed as a separate domain on each browser, e.g. about:1, about:2
> can you set cookies on about:1 then can be read by about:2

The unique origin does not use the about scheme.

> 4. What if a sandbox allows JavaScript and the location is written
> somewhere, would that expose the unique origin?

I'm not sure what you mean by that.

In any case, you're welcome to try it out.  Grab a WebKit nightly
build and create an iframe with the sandbox attribute.  That will give
you a document with a unique origin.

Adam
Received on Tuesday, 22 February 2011 09:02:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 22 February 2011 09:02:17 GMT