W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP Directive Proposal: Sandbox

From: <sird@rckc.at>
Date: Tue, 22 Feb 2011 01:11:59 -0800
Message-ID: <AANLkTinznnK9Ok3hdD3nkTN6Z3UOVs0dA03Tb+68xhdd@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: Adam Barth <w3c@adambarth.com>, public-web-security@w3.org
@gaz, it's defined in iframe element > sandbox attribute in HTML 5.
http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-iframe-sandbox

dross@ had concerns about this as well.. The good news is that it's
not implemented by opera/IE yet.. which are the ones that deal with
about: URIs weird.

> It works exactly the same as the sandbox attribute on iframes.  It's
> not any more or less complicated or surprising than that.
I think it's complicated because I'm confused :).

So, I can imagine writing a tutorial for webmasters.. in the lines of:

You have this rules for CSP: allow/default-src, script-src, options, etc..

And you also have the "sandbox" rule.. when you set that one, then
forget about the ones you just used.. because you have to do the same
thing again.

If you used "script-src" or "inline-scripts" in options, then you have
to add "allow-scripts".

If you want forms, remember to add "allow-forms".

Also, please remember that unless you want your code to be in a unique
origin, add "allow-same-origin", which has the same use as
"text/html-sandboxed" content-type.

There's also a "allow-top-navigation" rule, that you have to set, if
you want yourself or any of your frame childs to navigate the top
page..

Now, if you wanted to use plugins, such as flash.. you are out of luck
until an endless W3C discussion is done and all plugin vendors agree
on some way to do so, which may take till 2014.

Also, please remember that just setting "sandbox allow-scripts" will
not actually allow scripts, you should set
script-src/default-src/etc.. as well.

By the way, it's not all bad news, the reason you have "sandbox" here
is so you can sandbox context in a unique origin that isn't HTML..
(or, are there any other advantages?)

Greetings!!

-- Eduardo




On Tue, Feb 22, 2011 at 12:52 AM, gaz Heyes <gazheyes@gmail.com> wrote:
> On 22 February 2011 00:42, Adam Barth <w3c@adambarth.com> wrote:
>>
>> > 1. When sandbox kicks in, I get a unique origin right?
>>
>> Yes.
>
> How does this unique origin work? I can't find it defined anywhere. I see a
> couple of problems with it....
>
> 1. If the unique origin is defined in the url what happens when a link is
> clicked, does it send the referrer?
> 2. If the unique origin is different than the URL itself then how can that
> work since same origin policy will be broken
> 3. Lets say the unique origin uses the about protocol, is each unique
> protocol classed as a separate domain on each browser, e.g. about:1, about:2
> can you set cookies on about:1 then can be read by about:2
> 4. What if a sandbox allows JavaScript and the location is written
> somewhere, would that expose the unique origin?
>
>
Received on Tuesday, 22 February 2011 09:13:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 22 February 2011 09:13:02 GMT