RE: Keeping sandbox directive in CSP 1.0

During the Face-to-face, I failed to realize that there were already two interoperable implementations of this, which (as Phillipe mentioned) would allow the 1.0 spec to advance to CR even with sandbox support. I understand that this was one of the concerns brought up when discussing this.

From: Jacob Rossi [mailto:Jacob.Rossi@microsoft.com]
Sent: Tuesday, May 15, 2012 1:27 PM
To: public-webappsec@w3.org
Cc: Adrian Bateman
Subject: Keeping sandbox directive in CSP 1.0


Hi folks,



Since it's our off week for a telecon, I wanted to continue our discussion about the sandbox directive staying in the 1.0 spec (rather than postponing to 1.1).



Microsoft believes that the HTML5 Sandbox feature is incomplete without a corresponding server side mechanism for enforcing sandbox restrictions.  As an example, this is impactful for scenarios where a page is normally hosted in a sandboxed iframe but the somehow the user is misled to navigate directly to the content (escaping the iframe sandbox).



We believe this feature is ready and stable for web developers to start using today. Keeping it in the 1.0 spec codifies that and helps us encourage web developers to use the feature to further secure their site, quelling fears by web developers of the feature changing out from under them. At TPAC and in previous telecons, we've discussed whether this should be in the 1.0 spec before--consensus at the time was to include it in 1.0.



We do not see any technical or procedural reason that would warrant delaying this useful feature. There currently are no open technical issues on how the feature works, we have good spec text for the description, and there are two interoperable implementations (webkit and IE10).



We think it's best for the Web that the sandbox directive stay in the 1.0 spec. There were a couple folks who disagreed with that on our last call, so I'd like to continue that discussion so that we can come to a true resolution on this issue.



Thanks,



Jacob