On 6/26/2013 4:28 PM, Hill, Brad wrote: > Is it clear what the event model for violations here is? For the other CSP directives a violation represents something unexpected that is actually present in your content. Might be a bug (in the content or the CSP policy) or it might be injected. Reporting this lets the site authors fix their site. It's not clear to me that there _are_ sandbox violations. It doesn't declare an invariant, it provides processing rules: "ignore scripts in this context", "treat as a unique origin". "frame-option" violations are also problematic. What is a site author expected to do about it? There's nothing to clean up in their own site, someone somewhere is trying to include them. Pass along the including page so the site can send cease and desist letters? But except in the nested case the site already could get the referers from their logs. -Dan Veditz
Received on Thursday, 27 June 2013 02:26:25 UTC