W3C home > Mailing lists > Public > public-web-security@w3.org > November 2011

Re: Understanding the security model for the sandbox directive

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 9 Nov 2011 23:51:39 +0000 (UTC)
To: Adam Barth <w3c@adambarth.com>
cc: public-web-security@w3.org, Jacob Rossi <jrossi@microsoft.com>
Message-ID: <Pine.LNX.4.64.1111092351180.31955@ps20323.dreamhostps.com>
On Fri, 4 Nov 2011, Adam Barth wrote:
> 
> 2) Refuse to load documents with a CSP sandbox directive in the main 
> frame.  Site can, of course, continue to load them in subframes.  We 
> could then apply the sandbox policy to the iframe and all future 
> documents that load in that frame.  There's no "poisoning" issues as 
> above because navigating the main frame clears out the policy.
> 
> Of these choices, I favor (2) because I think the main use case for this 
> feature is for documents intended to be loaded in subframes rather than 
> documents loaded in the main frame.

When would it be preferable to do this rather than just using sandbox="" 
on the <iframe>?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 9 November 2011 23:52:12 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 November 2011 23:52:12 GMT