- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 21 Feb 2011 12:20:02 -0800
- To: "sird@rckc.at" <sird@rckc.at>
- Cc: gaz Heyes <gazheyes@gmail.com>, public-web-security@w3.org
On Mon, Feb 21, 2011 at 11:38 AM, sird@rckc.at <sird@rckc.at> wrote: > Oh btw, regarding this idea of putting sandbox in a CSP rule. > > I like it. But I would have preferred if it was the other way around.. > And let a sandboxed iframe to have CSP rules. > > Either way, If we have: > > CSP: sandbox;script-src http://*.google.com > > What will happen? The rules conflict with each other. I know the > answer will be, that no scripts will be allowed.. but that's counter > intuitive.. It seems relatively intuitive. Just think of each CSP directive as forbidding things. Then it's easy to understand how the directives combine. > What about > > CSP: sandbox allow-scripts; > > Then script-src and inline-script rules are useless? The script-src and inline-script directives still work fine in that scenario. Keep in mind that we need to have the interaction between CSP and iframe@sandbox be well-defined and sensible because they're already easy to combine even without the sandbox directive in CSP. Adam > On Mon, Feb 21, 2011 at 11:33 AM, gaz Heyes <gazheyes@gmail.com> wrote: >> On 21 February 2011 19:21, sird@rckc.at <sird@rckc.at> wrote: >>> >>> Would be cool if we had a "disallow-navigation" rule which disallow's >>> the user to navigate to any links. >> >> +1 >> >> Same domain navigations restrictions would be awesome >> >
Received on Monday, 21 February 2011 20:21:12 UTC