W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2012

Re: Keeping sandbox directive in CSP 1.0

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 15 May 2012 14:40:00 -0700
Message-ID: <CAJE5ia90ro-+e8TU60+djkWk81DNGRc4kV3652kuDAE1CnAOZA@mail.gmail.com>
To: Jacob Rossi <Jacob.Rossi@microsoft.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Adrian Bateman <adrianba@microsoft.com>
I agree with Jacob.  The sandbox directive is ready for primetime.
There aren't any technical issues with the feature, we've got two
interoperable implementations, and we don't have any reason to believe
it's going to change in an incompatible way in the future.

Adam


On Tue, May 15, 2012 at 1:27 PM, Jacob Rossi <Jacob.Rossi@microsoft.com> wrote:
> Hi folks,
>
> Since it's our off week for a telecon, I wanted to continue our discussion
> about the sandbox directive staying in the 1.0 spec (rather than postponing
> to 1.1).
>
> Microsoft believes that the HTML5 Sandbox feature is incomplete without a
> corresponding server side mechanism for enforcing sandbox restrictions.  As
> an example, this is impactful for scenarios where a page is normally hosted
> in a sandboxed iframe but the somehow the user is misled to navigate
> directly to the content (escaping the iframe sandbox).
>
> We believe this feature is ready and stable for web developers to start
> using today. Keeping it in the 1.0 spec codifies that and helps us encourage
> web developers to use the feature to further secure their site, quelling
> fears by web developers of the feature changing out from under them. At TPAC
> and in previous telecons, we've discussed whether this should be in the 1.0
> spec before--consensus at the time was to include it in 1.0.
>
> We do not see any technical or procedural reason that would warrant delaying
> this useful feature. There currently are no open technical issues on how the
> feature works, we have good spec text for the description, and there are two
> interoperable implementations (webkit and IE10).
>
> We think it's best for the Web that the sandbox directive stay in the 1.0
> spec. There were a couple folks who disagreed with that on our last call, so
> I'd like to continue that discussion so that we can come to a true
> resolution on this issue.
>
> Thanks,
> Jacob
Received on Tuesday, 15 May 2012 21:41:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 15 May 2012 21:41:03 GMT