W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP Directive Proposal: Sandbox

From: <sird@rckc.at>
Date: Tue, 22 Feb 2011 01:31:44 -0800
Message-ID: <AANLkTi=4c6352_FEahfWWUW_jjyH31_-r_=v_S0kc7Vz@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: gaz Heyes <gazheyes@gmail.com>, public-web-security@w3.org
Oh, I wasn't aware that the "default-do-noting" was really happening.

-- Eduardo




On Tue, Feb 22, 2011 at 1:16 AM, Adam Barth <w3c@adambarth.com> wrote:
> I don't think the situation is as tricky as you make it out to be,
> especially if we go the route of an empty CSP policy not implying
> inline script restrictions, which seems likely.
>
> Adam
>
>
> On Tue, Feb 22, 2011 at 1:11 AM, sird@rckc.at <sird@rckc.at> wrote:
>> @gaz, it's defined in iframe element > sandbox attribute in HTML 5.
>> http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-iframe-sandbox
>>
>> dross@ had concerns about this as well.. The good news is that it's
>> not implemented by opera/IE yet.. which are the ones that deal with
>> about: URIs weird.
>>
>>> It works exactly the same as the sandbox attribute on iframes.  It's
>>> not any more or less complicated or surprising than that.
>> I think it's complicated because I'm confused :).
>>
>> So, I can imagine writing a tutorial for webmasters.. in the lines of:
>>
>> You have this rules for CSP: allow/default-src, script-src, options, etc..
>>
>> And you also have the "sandbox" rule.. when you set that one, then
>> forget about the ones you just used.. because you have to do the same
>> thing again.
>>
>> If you used "script-src" or "inline-scripts" in options, then you have
>> to add "allow-scripts".
>>
>> If you want forms, remember to add "allow-forms".
>>
>> Also, please remember that unless you want your code to be in a unique
>> origin, add "allow-same-origin", which has the same use as
>> "text/html-sandboxed" content-type.
>>
>> There's also a "allow-top-navigation" rule, that you have to set, if
>> you want yourself or any of your frame childs to navigate the top
>> page..
>>
>> Now, if you wanted to use plugins, such as flash.. you are out of luck
>> until an endless W3C discussion is done and all plugin vendors agree
>> on some way to do so, which may take till 2014.
>>
>> Also, please remember that just setting "sandbox allow-scripts" will
>> not actually allow scripts, you should set
>> script-src/default-src/etc.. as well.
>>
>> By the way, it's not all bad news, the reason you have "sandbox" here
>> is so you can sandbox context in a unique origin that isn't HTML..
>> (or, are there any other advantages?)
>>
>> Greetings!!
>>
>> -- Eduardo
>>
>>
>>
>>
>> On Tue, Feb 22, 2011 at 12:52 AM, gaz Heyes <gazheyes@gmail.com> wrote:
>>> On 22 February 2011 00:42, Adam Barth <w3c@adambarth.com> wrote:
>>>>
>>>> > 1. When sandbox kicks in, I get a unique origin right?
>>>>
>>>> Yes.
>>>
>>> How does this unique origin work? I can't find it defined anywhere. I see a
>>> couple of problems with it....
>>>
>>> 1. If the unique origin is defined in the url what happens when a link is
>>> clicked, does it send the referrer?
>>> 2. If the unique origin is different than the URL itself then how can that
>>> work since same origin policy will be broken
>>> 3. Lets say the unique origin uses the about protocol, is each unique
>>> protocol classed as a separate domain on each browser, e.g. about:1, about:2
>>> can you set cookies on about:1 then can be read by about:2
>>> 4. What if a sandbox allows JavaScript and the location is written
>>> somewhere, would that expose the unique origin?
>>>
>>>
>>
>
Received on Tuesday, 22 February 2011 09:32:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 22 February 2011 09:32:37 GMT