W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP Directive Proposal: Sandbox

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 22 Feb 2011 01:57:30 -0800
Message-ID: <AANLkTim1B6xVwEMFLJeWnuJioa88Km-gNuGmxNCzC7Ax@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
On Tue, Feb 22, 2011 at 1:41 AM, gaz Heyes <gazheyes@gmail.com> wrote:
> On 22 February 2011 09:01, Adam Barth <w3c@adambarth.com> wrote:
>> > How does this unique origin work? I can't find it defined anywhere.
>>
>> It's defined in HTML5.
>
> Maybe it's me but I looked and couldn't find how "globally unique
> identifier" is generated.

Think of it as a long random number.  You can't actually detect how
it's generated.

>> > 3. Lets say the unique origin uses the about protocol, is each unique
>> > protocol classed as a separate domain on each browser, e.g. about:1,
>> > about:2
>> > can you set cookies on about:1 then can be read by about:2
>>
>> The unique origin does not use the about scheme.
>
> What does it use?

There's no way to tell.  In WebKit, it's just a Boolean flag that says
"this origin is unique."

>> > 4. What if a sandbox allows JavaScript and the location is written
>> > somewhere, would that expose the unique origin?
>>
>> I'm not sure what you mean by that.
>
> I'm interested in ways to get the unique origin and the regenerate it

The easiest way to generate a unique origin is to create an iframe
with the sandbox atribute.

Adam
Received on Tuesday, 22 February 2011 09:58:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 22 February 2011 09:58:34 GMT