W3C home > Mailing lists > Public > public-web-security@w3.org > November 2011

RE: Understanding the security model for the sandbox directive

From: Steingruebl, Andy <asteingruebl@paypal-inc.com>
Date: Fri, 4 Nov 2011 16:42:20 -0600
To: Adam Barth <w3c@adambarth.com>, "Hill, Brad" <bhill@paypal-inc.com>
CC: dveditz <dveditz@mozilla.com>, "public-web-security@w3.org" <public-web-security@w3.org>, "jrossi@microsoft.com" <jrossi@microsoft.com>
Message-ID: <5EE049BA3C6538409BBE6F1760F328ABEBED615C5B@DEN-MEXMS-001.corp.ebay.com>
> -----Original Message-----
> From: Adam Barth [mailto:w3c@adambarth.com]

> 4) If both CSP and the sandbox attribute supply a sandbox policies, they'll be
> merged using the algorithm in the HTML5 spec (which is currently used to
> merge sandbox bits for nested iframes).

My only question is whether all the security folks fully evaluated the sandbox model in HTML5.    If so I'm ok, but if it didn't get a lot of attention I'm fine being in-sync, but let's make any adjustments in the HTML5 spec as necessary.

I'm just going to assume it implements a model where you can only subtract rights, now add to them, from children, correct?

- Andy
Received on Friday, 4 November 2011 22:42:53 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC