W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP Directive Proposal: Sandbox

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 22 Feb 2011 01:16:46 -0800
Message-ID: <AANLkTimmnpEid5APBiPvnkXQiMazRwVvM=EYiaA+m+C-@mail.gmail.com>
To: "sird@rckc.at" <sird@rckc.at>
Cc: gaz Heyes <gazheyes@gmail.com>, public-web-security@w3.org
I don't think the situation is as tricky as you make it out to be,
especially if we go the route of an empty CSP policy not implying
inline script restrictions, which seems likely.


On Tue, Feb 22, 2011 at 1:11 AM, sird@rckc.at <sird@rckc.at> wrote:
> @gaz, it's defined in iframe element > sandbox attribute in HTML 5.
> http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-iframe-sandbox
> dross@ had concerns about this as well.. The good news is that it's
> not implemented by opera/IE yet.. which are the ones that deal with
> about: URIs weird.
>> It works exactly the same as the sandbox attribute on iframes.  It's
>> not any more or less complicated or surprising than that.
> I think it's complicated because I'm confused :).
> So, I can imagine writing a tutorial for webmasters.. in the lines of:
> You have this rules for CSP: allow/default-src, script-src, options, etc..
> And you also have the "sandbox" rule.. when you set that one, then
> forget about the ones you just used.. because you have to do the same
> thing again.
> If you used "script-src" or "inline-scripts" in options, then you have
> to add "allow-scripts".
> If you want forms, remember to add "allow-forms".
> Also, please remember that unless you want your code to be in a unique
> origin, add "allow-same-origin", which has the same use as
> "text/html-sandboxed" content-type.
> There's also a "allow-top-navigation" rule, that you have to set, if
> you want yourself or any of your frame childs to navigate the top
> page..
> Now, if you wanted to use plugins, such as flash.. you are out of luck
> until an endless W3C discussion is done and all plugin vendors agree
> on some way to do so, which may take till 2014.
> Also, please remember that just setting "sandbox allow-scripts" will
> not actually allow scripts, you should set
> script-src/default-src/etc.. as well.
> By the way, it's not all bad news, the reason you have "sandbox" here
> is so you can sandbox context in a unique origin that isn't HTML..
> (or, are there any other advantages?)
> Greetings!!
> -- Eduardo
> On Tue, Feb 22, 2011 at 12:52 AM, gaz Heyes <gazheyes@gmail.com> wrote:
>> On 22 February 2011 00:42, Adam Barth <w3c@adambarth.com> wrote:
>>> > 1. When sandbox kicks in, I get a unique origin right?
>>> Yes.
>> How does this unique origin work? I can't find it defined anywhere. I see a
>> couple of problems with it....
>> 1. If the unique origin is defined in the url what happens when a link is
>> clicked, does it send the referrer?
>> 2. If the unique origin is different than the URL itself then how can that
>> work since same origin policy will be broken
>> 3. Lets say the unique origin uses the about protocol, is each unique
>> protocol classed as a separate domain on each browser, e.g. about:1, about:2
>> can you set cookies on about:1 then can be read by about:2
>> 4. What if a sandbox allows JavaScript and the location is written
>> somewhere, would that expose the unique origin?
Received on Tuesday, 22 February 2011 09:17:52 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:18 UTC