W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2012

Re: Keeping sandbox directive in CSP 1.0

From: Tanvi Vyas <tanvi@mozilla.com>
Date: Thu, 24 May 2012 17:34:44 -0700
Message-ID: <4FBED3A4.5080909@mozilla.com>
To: Travis Leithead <travis.leithead@microsoft.com>
CC: Jacob Rossi <Jacob.Rossi@microsoft.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Adrian Bateman <adrianba@microsoft.com>
According to the current CSP 1.0 specification, being conformant to the 
spec requires supporting all of the specified directives.  Since no two 
browsers currently support all the directives, it is not clear that it's 
feasible for any user agent to be conformant.  We believe that having 
two browsers be totally conformant to CSP 1.0 is the right approach for 
developers, so that they know that a browser claiming to support CSP 
provides all of the directives in the 1.0 spec.

In order to put the sandbox directive in 1.0, we would need to change 
the conformance text to no longer require support for all directives.  
Mozilla does not support changing this text since developers will be 
unsure what compliance with the specification means for different user 
agents.

In addition, we believe it is a little late to introduce this into 1.0.  
The issue tracker currently has no open CSP issues, implying that the 
spec is ready for Last Call, and hence not the time to add a new directive.

~Tanvi

On 5/15/12 2:17 PM, Travis Leithead wrote:
>
> During the Face-to-face, I failed to realize that there were already 
> two interoperable implementations of this, which (as Phillipe 
> mentioned) would allow the 1.0 spec to advance to CR even with sandbox 
> support. I understand that this was one of the concerns brought up 
> when discussing this.
>
> *From:*Jacob Rossi [mailto:Jacob.Rossi@microsoft.com]
> *Sent:* Tuesday, May 15, 2012 1:27 PM
> *To:* public-webappsec@w3.org
> *Cc:* Adrian Bateman
> *Subject:* Keeping sandbox directive in CSP 1.0
>
> Hi folks,
>
> Since it's our off week for a telecon, I wanted to continue our 
> discussion about the sandbox directive staying in the 1.0 spec (rather 
> than postponing to 1.1).
>
> Microsoft believes that the HTML5 Sandbox feature is incomplete 
> without a corresponding server side mechanism for enforcing sandbox 
> restrictions.  As an example, this is impactful for scenarios where a 
> page is normally hosted in a sandboxed iframe but the somehow the user 
> is misled to navigate directly to the content (escaping the iframe 
> sandbox).
>
> We believe this feature is ready and stable for web developers to 
> start using today. Keeping it in the 1.0 spec codifies that and helps 
> us encourage web developers to use the feature to further secure their 
> site, quelling fears by web developers of the feature changing out 
> from under them. At TPAC and in previous telecons, we've discussed 
> whether this should be in the 1.0 spec before--consensus at the time 
> was to include it in 1.0.
>
> We do not see any technical or procedural reason that would warrant 
> delaying this useful feature. There currently are no open technical 
> issues on how the feature works, we have good spec text for the 
> description, and there are two interoperable implementations (webkit 
> and IE10).
>
> We think it's best for the Web that the sandbox directive stay in the 
> 1.0 spec. There were a couple folks who disagreed with that on our 
> last call, so I'd like to continue that discussion so that we can come 
> to a true resolution on this issue.
>
> Thanks,
>
> Jacob
>
Received on Friday, 25 May 2012 00:35:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 25 May 2012 00:35:17 GMT