- From: Conrad Irwin <conrad.irwin@gmail.com>
- Date: Mon, 20 Jul 2015 22:09:58 -0700
- To: Mike West <mkwst@google.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAOTq_pvuKVjC51ZB_qWftDiDcLz_YJpmC3uHo-TzR08tp_grSQ@mail.gmail.com>
On Mon, Jul 20, 2015 at 9:31 PM, Mike West <mkwst@google.com> wrote: > On Tue, Jul 21, 2015 at 12:37 AM, Conrad Irwin <conrad.irwin@gmail.com> > wrote: >> >> I looked into using the sandbox attribute [2], but it suffered from two >> drawbacks: >> a) I can't add event listeners to the contents of the iframe, which is >> necessary for keyboard shortcuts. [3] >> > > Looks like a bug in Chrome rather than a bug with the feature. Does > Firefox support this kind of work? > It's also broken in Firefox. > We're fixing this with a new `allow-popups-to-escape-sandbox` keyword ( > https://wiki.whatwg.org/index.php?title=Iframe_sandbox_improvments). > Should be shipping in Chrome 46, though I haven't heard signals from other > browser vendors (WDYT, Mozillians? Microsofties? :) ) > Nice, this would be perfect. > > >> So now I'm inserting a Content-Security-Policy using a meta tag on the >> purified document. >> > > At the moment, that's how you'll need to apply a CSP to the page. One of > the goals for CSP3 is to add a real API, but that's a little ways off. > > >> I would love to be able to specify the Content-Security-Policy from the >> parent document not the loaded document, as that feels cleaner. It would >> also hopefully let me add CSP reports, and other features that are not >> supported by meta-tag CSP policies. >> > > What would you like to do that you can't from <meta>? > > I would like to get violation reports (so I get alerted if something sneaks past DOMPurify), it looks like the only other two header-only values are reflected-xss (which I imagine doesn't do anything in this scenario, so I don't care about), and sandbox (which I can already set on the iframe) so it'd just be that. To be honest, it's not a deal breaker, the reports would just satisfy my curiosity. The only other worry I have is that my Content-Security-Policy is definitely applied. If someone were to send an email that also contained a CSP (and somehow got it through DOMPurify), I'd want to make sure that my header took effect still. When it's out of band I don't get nervous, but in-band just seems more prone to issues. Conrad
Received on Tuesday, 21 July 2015 05:10:47 UTC