W3C home > Mailing lists > Public > public-web-security@w3.org > November 2011

Re: Understanding the security model for the sandbox directive

From: dveditz <dveditz@mozilla.com>
Date: Fri, 4 Nov 2011 11:29:27 -0700 (PDT)
Message-ID: <onh9b111w4igjpm921ycguqc.1320431342088@email.android.com>
To: w3c@adambarth.com
Cc: public-web-security@w3.org, jrossi@microsoft.com
Adam Barth <w3c@adambarth.com> wrote:> attacker cannot execute script in the sandboxed document itself,
> but he/she can trigger a navigation to another (non-sandboxed)
> document, which can execute script.

I'm fine with that--if the site is worried about the effect on a containing doc they should use the frame attribute. If they're using CSP then they at worried about that specific page being abused.

-Dan
Received on Friday, 4 November 2011 18:32:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 4 November 2011 18:32:32 GMT