On Fri, Nov 4, 2011 at 3:42 PM, Steingruebl, Andy <asteingruebl@paypal-inc.com> wrote: >> -----Original Message----- >> From: Adam Barth [mailto:w3c@adambarth.com] > >> 4) If both CSP and the sandbox attribute supply a sandbox policies, they'll be >> merged using the algorithm in the HTML5 spec (which is currently used to >> merge sandbox bits for nested iframes). > > My only question is whether all the security folks fully evaluated the sandbox model in HTML5. If so I'm ok, but if it didn't get a lot of attention I'm fine being in-sync, but let's make any adjustments in the HTML5 spec as necessary. > > I'm just going to assume it implements a model where you can only subtract rights, now add to them, from children, correct? Correct. AdamReceived on Friday, 4 November 2011 22:54:19 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 4 November 2011 22:54:20 GMT