diff --git a/csp-specification.dev.html b/csp-specification.dev.html --- a/csp-specification.dev.html +++ b/csp-specification.dev.html @@ -291,16 +291,23 @@ inject CSP policies into vulnerable documents.
  • Ignore the report-uri directive in CSP policies obtained from meta elements. This requirement mitigates one attack that might result from an injected policy. It also provides a carrot for supplying the policy in an HTTP header, which is better for security.
    • +
  • To provide effective protection the user agent must know + about the sandbox and frame-options + directives before starting to render a document in a frame, + When either of these directives are encountered in a + meta element the user agent MUST ignore them and SHOULD + report a warning to the developer console.
    • +
  • Add some guidance that sites should put the meta element as early as possible in their document to reduce the risk of an attacker injecting another policy in front.
  • Ignore policies from meta elements that get inserted after the document's readyState reaches "interactive". This requirement further mitigates the risk of the meta element being injected. (Is this requirement @@ -1461,16 +1468,20 @@ token = <token from RFC 2

    When enforcing the sandbox directive, the user agent MUST parse the sandboxing directive using the directive-value as the input and protected resource's forced sandboxing flag set as the output. [[!HTML5]]

    +

    The sandbox directive MUST be ignored when found in a + policy specified in a meta element. The user agent SHOULD + report a warning to the developer console.

    +
    Usage

    HTML5 defines a sandbox attribute for iframe elements, intended to allow web authors to reduce the risk of including potentially untrusted content by imposing restrictions on that content's abilities. When the attribute is set,