W3C home > Mailing lists > Public > public-web-security@w3.org > November 2011

Re: Understanding the security model for the sandbox directive

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 4 Nov 2011 09:59:09 -0700
Message-ID: <CAJE5ia8M=tFNQjuPFnNvEpLVSz_jNYKB3jWm8grLEHj15L3UiQ@mail.gmail.com>
To: "Hill, Brad" <bhill@paypal-inc.com>
Cc: dveditz <dveditz@mozilla.com>, "public-web-security@w3.org" <public-web-security@w3.org>, "jrossi@microsoft.com" <jrossi@microsoft.com>
What about the case when user-contrib.paypal-sandbox.com is loaded in
an iframe?  Should we persist the sandbox bits from CSP across
navigation then, or is it the responsibility of the embedding page to
include the sandbox attribute on the iframe they point at
user-contrib.paypal-sandbox.com?

Adam


On Fri, Nov 4, 2011 at 9:55 AM, Hill, Brad <bhill@paypal-inc.com> wrote:
> I think maintaining the sandbox state across navigation is only important in a subframe case because the outer framing content must remain protected across these events.
>
> For sandboxing applied by the server, it's the server that needs to apply protection uniformly, not the browser.
>
> e.g. if I want to block script execution on user-contrib.paypal-sandbox.com to help prevent resources there from scripting each other, it doesn't matter if a resource there can navigate to evil.example.com and execute script from that origin - I have standard SOP protections in that case.
>
> If it navigates elsewhere on user-contrib.paypal-sandbox.com, my server can still force the correct sandbox header on that content.
>
> Am I missing something?
>
> Brad Hill
> Sr. MTS, Internet Standards and Governance
> PayPal Information Risk Management
> cell: 206.245.7844 / skype: hillbrad
>
> On Nov 4, 2011, at 9:39 AM, "Adam Barth" <w3c@adambarth.com> wrote:
>
>> On Fri, Nov 4, 2011 at 8:26 AM, dveditz <dveditz@mozilla.com> wrote:
>>> What do you mean by "main frame"? The top document, or the document in a
>>> <frame> element in the top document?
>>
>> The top document.
>>
>>> A sandbox directive should apply to any document no matter where loaded, and
>>> should not pollute the container it is loaded in for future documents. If we
>>> start with those as consistency principles what works and what doesn't?
>>
>> The unique origin seems to work, but I'm not sure the other tokens
>> work.  The example I gave previously was script execution.  The
>> attacker cannot execute script in the sandboxed document itself, but
>> he/she can trigger a navigation to another (non-sandboxed) document,
>> which can execute script.
>>
>>> What model does IE 10 follow? What have they learned from their
>>> implementation?
>>
>> I'm hoping jrossi can shed some light on that question.
>>
>> Adam
>>
>
Received on Friday, 4 November 2011 17:00:21 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 4 November 2011 17:00:22 GMT