W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2012

CSP Sandbox directive and meta tag - CSP 1.1

From: Tanvi Vyas <tanvi@mozilla.com>
Date: Tue, 18 Sep 2012 15:17:08 -0700
Message-ID: <5058F2E4.2060602@mozilla.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
A couple months ago during our biweekly call we discussed how a csp 
sandbox directive would be handled when the content security policy is 
specified in a meta tag.  We proposed ignoring the csp sandbox directive 
if set in a meta policy.  This is because the sandbox flag needs to be 
set on navigation, and the <meta> tag with the policy isn't specified 
until after navigation and after a principal for the document has 
already been set.  Switching to the null principal after we discover the 
sandbox directive makes following the same origin policy tricky since 
we'd already be halfway through parsing the document.

Bringing this up on the mailing list for further discussion. Thanks!

~Tanvi
Received on Tuesday, 18 September 2012 22:17:35 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 18 September 2012 22:17:35 GMT