W3C home > Mailing lists > Public > public-web-security@w3.org > November 2011

Re: Understanding the security model for the sandbox directive

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 4 Nov 2011 15:53:12 -0700
Message-ID: <CAJE5ia-6xd6YGdCuJuxUT8izLsY0noKXrOJaTKERsm=3Ee2Xyw@mail.gmail.com>
To: "Steingruebl, Andy" <asteingruebl@paypal-inc.com>
Cc: "Hill, Brad" <bhill@paypal-inc.com>, dveditz <dveditz@mozilla.com>, "public-web-security@w3.org" <public-web-security@w3.org>, "jrossi@microsoft.com" <jrossi@microsoft.com>
On Fri, Nov 4, 2011 at 3:42 PM, Steingruebl, Andy
<asteingruebl@paypal-inc.com> wrote:
>> -----Original Message-----
>> From: Adam Barth [mailto:w3c@adambarth.com]
>
>> 4) If both CSP and the sandbox attribute supply a sandbox policies, they'll be
>> merged using the algorithm in the HTML5 spec (which is currently used to
>> merge sandbox bits for nested iframes).
>
> My only question is whether all the security folks fully evaluated the sandbox model in HTML5.    If so I'm ok, but if it didn't get a lot of attention I'm fine being in-sync, but let's make any adjustments in the HTML5 spec as necessary.
>
> I'm just going to assume it implements a model where you can only subtract rights, now add to them, from children, correct?

Correct.

Adam
Received on Friday, 4 November 2011 22:54:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 4 November 2011 22:54:20 GMT