- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 21 Feb 2011 10:48:39 -0800
- To: gaz Heyes <gazheyes@gmail.com>
- Cc: public-web-security@w3.org
On Mon, Feb 21, 2011 at 10:41 AM, gaz Heyes <gazheyes@gmail.com> wrote: > On 21 February 2011 18:18, Adam Barth <w3c@adambarth.com> wrote: >> >> I'm not sure I understand. Are you assuming that the document is >> loaded in the top-most frame? > > Maybe we're talking about different things but if allow-top-navigation > exists in the CSP policy then I assume by default it isn't allowed. That's correct. By default, the sandbox directive (and the sandbox attribute of iframes) blocks top-level navigation from subframes. > Therefore any clicks/redirections to a different domain with a new CSP > policy that allows top redirects would break the policy of the original CSP > server. Ah, I understand your point. That's true for some example, but not true in general. For example, sandbox policies, as defined by HTML5, propagate to subframes. Although the document with the CSP policy could use something like meta-refresh to circumvent the navigation restrictions, the documents contained in subframes would not be able to do so. Another point of view on this issue is that there's value in matching HTML5's definition of "sandbox" rather than tinkering with it. Adam
Received on Monday, 21 February 2011 18:49:45 UTC