W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2012

RE: Keeping sandbox directive in CSP 1.0

From: Jacob Rossi <Jacob.Rossi@microsoft.com>
Date: Fri, 25 May 2012 02:33:48 +0000
To: Adam Barth <w3c@adambarth.com>, Tanvi Vyas <tanvi@mozilla.com>
CC: Travis Leithead <travis.leithead@microsoft.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Adrian Bateman <adrianba@microsoft.com>
Message-ID: <D0BC8E77E79D9846B61A2432D1BA4EAE063F7866@TK5EX14MBXC288.redmond.corp.microsoft.com>
>> In addition, we believe it is a little late to introduce this into 1.0.  The
>> issue tracker currently has no open CSP issues, implying that the spec is
>> ready for Last Call, and hence not the time to add a new directive.
> It's hardly a new directive.  We've been discussing it for months.  In
> fact, the sandbox directive has been present in the document since
> this working group issued it as a FPWD on 29 November 2011, roughly
> six months ago:

Agreed. Including sandbox in CSP was first discussed about a year ago and it's been in the spec since the first published working draft. At TPAC, consensus was to keep sandbox in the spec but to add a note saying that the feature could move to 1.1 if lack of implementation blocked the 1.0 spec's progress. The implementation requirements are now met (and as Adam points out, this actually isn't required yet as there hasn't been a Call for Implementations). Moreover, it was mentioned in a previous teleconference that Mozilla is working on an implementation of the feature.

So we see no reason to change the plan of record.

Keeping sandbox in the 1.0 spec is better for the Web.  The feature is stable and ready for adoption by web developers and other user agents. 

-Jacob
________________________________________
From: Adam Barth [w3c@adambarth.com]
Sent: Thursday, May 24, 2012 5:54 PM
To: Tanvi Vyas
Cc: Travis Leithead; Jacob Rossi; public-webappsec@w3.org; Adrian Bateman
Subject: Re: Keeping sandbox directive in CSP 1.0

On Thu, May 24, 2012 at 5:34 PM, Tanvi Vyas <tanvi@mozilla.com> wrote:
> According to the current CSP 1.0 specification, being conformant to the spec
> requires supporting all of the specified directives.  Since no two browsers
> currently support all the directives, it is not clear that it's feasible for
> any user agent to be conformant.  We believe that having two browsers be
> totally conformant to CSP 1.0 is the right approach for developers, so that
> they know that a browser claiming to support CSP provides all of the
> directives in the 1.0 spec.

According to the working group's charter
<http://www.w3.org/2011/08/appsecwg-charter.html>, we need only two
independent implementations of each feature described in the
specification, not of the entire specification:

---8<---
To advance to Proposed Recommendation, each specification is expected
to have two independent implementations of each feature described in
the specification.
--->8---

Moreover, we haven't even issued a Call for Implementations yet
<http://www.w3.org/2005/10/Process-20051014/tr#cfi>.  According to W3C
process, we don't issue a Call for Implementations until the document
has reached the Candidate Recommendation.

We're discussing advancing this document to Working Group Last Call
<http://www.w3.org/2005/10/Process-20051014/tr#last-call>, which
carries has no implementation requirements, either from our charter
for from the W3C process.

> In order to put the sandbox directive in 1.0, we would need to change the
> conformance text to no longer require support for all directives.

That's not correct.  The document merely forbids anyone from claiming
they have a conforming implementation unless they implement all the
features.

> Mozilla does not support changing this text since developers will be unsure what
> compliance with the specification means for different user agents.

That's fine, but don't see any reason why having that text in the
document prevents the document from advancing to Working Group Last
Call.

> In addition, we believe it is a little late to introduce this into 1.0.  The
> issue tracker currently has no open CSP issues, implying that the spec is
> ready for Last Call, and hence not the time to add a new directive.

It's hardly a new directive.  We've been discussing it for months.  In
fact, the sandbox directive has been present in the document since
this working group issued it as a FPWD on 29 November 2011, roughly
six months ago:

http://www.w3.org/TR/CSP/#sandbox

Adam


> On 5/15/12 2:17 PM, Travis Leithead wrote:
>
> During the Face-to-face, I failed to realize that there were already two
> interoperable implementations of this, which (as Phillipe mentioned) would
> allow the 1.0 spec to advance to CR even with sandbox support. I understand
> that this was one of the concerns brought up when discussing this.
>
>
>
> From: Jacob Rossi [mailto:Jacob.Rossi@microsoft.com]
> Sent: Tuesday, May 15, 2012 1:27 PM
> To: public-webappsec@w3.org
> Cc: Adrian Bateman
> Subject: Keeping sandbox directive in CSP 1.0
>
>
>
> Hi folks,
>
>
>
> Since it's our off week for a telecon, I wanted to continue our discussion
> about the sandbox directive staying in the 1.0 spec (rather than postponing
> to 1.1).
>
>
>
> Microsoft believes that the HTML5 Sandbox feature is incomplete without a
> corresponding server side mechanism for enforcing sandbox restrictions.  As
> an example, this is impactful for scenarios where a page is normally hosted
> in a sandboxed iframe but the somehow the user is misled to navigate
> directly to the content (escaping the iframe sandbox).
>
>
>
> We believe this feature is ready and stable for web developers to start
> using today. Keeping it in the 1.0 spec codifies that and helps us encourage
> web developers to use the feature to further secure their site, quelling
> fears by web developers of the feature changing out from under them. At TPAC
> and in previous telecons, we've discussed whether this should be in the 1.0
> spec before--consensus at the time was to include it in 1.0.
>
>
>
> We do not see any technical or procedural reason that would warrant delaying
> this useful feature. There currently are no open technical issues on how the
> feature works, we have good spec text for the description, and there are two
> interoperable implementations (webkit and IE10).
>
>
>
> We think it's best for the Web that the sandbox directive stay in the 1.0
> spec. There were a couple folks who disagreed with that on our last call, so
> I'd like to continue that discussion so that we can come to a true
> resolution on this issue.
>
>
>
> Thanks,
>
>
>
> Jacob
>
>
>
>
>
Received on Friday, 25 May 2012 02:34:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 25 May 2012 02:34:35 GMT