- From: Jun <notifications@github.com>
- Date: Sat, 05 May 2018 19:20:03 +0000 (UTC)
- To: w3c/payment-request <payment-request@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Saturday, 5 May 2018 19:20:28 UTC
[dropbox.com/enterprise](https://www.dropbox.com/enterprise) is using following CSP sandbox. `content-security-policy: sandbox allow-forms allow-scripts allow-top-navigation allow-popups;` FYI to the spec editors (of all kinds), you all are doing great job in restricting cross-origin frames or insecure context for powerful APIs. But in my experience, CSP/iframe sandbox is usually left to implementors and I don't think it's a good idea (especially, now we have major website taking advantage of sandbox). This was also a spec issue in [Web App Manifest](https://github.com/w3c/manifest/pull/638). And what about CredMan? So I appreciate if spec editors can keep in mind about sandbox and restrict powerful APIs in sandboxed content as you do for cross-origin frames and insecure context. Thanks. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/payment-request/issues/698#issuecomment-386828623
Received on Saturday, 5 May 2018 19:20:28 UTC