Re: CSP Directive Proposal: Sandbox from sird@rckc.at on 2011-02-22 (public-web-security@w3.org from February 2011)

From: <sird@rckc.at>
Date: Mon, 21 Feb 2011 16:37:39 -0800
To: Adam Barth <w3c@adambarth.com>
Cc: gaz Heyes <gazheyes@gmail.com>, public-web-security@w3.org
Message-ID: <AANLkTinQ+SrCCzwb_1Xxxy+zK6O_kqpHBFcr-q9RLc+p@mail.gmail.com>

So, the moment I say "sandbox", I get several new restrictions that I
wasn't expecting:

1. When sandbox kicks in, I get a unique origin right?

2.  If I want to use a sandbox rule, such as.. allow-top-navigation, I
will have to do "allow-forms" as well, or mysteriously, my forms will
stop working.

3. If I want to use allow-top-navigation and allow Flash, how can I do
that? With CSP alone, I can.. but if you add sandbox, then there's no
way.

Anyways, I'm not saying it's bad idea, I like it.. it's just that it
may get so complicated to get right, that no one will end up using it.

Greetz

-- Eduardo




On Mon, Feb 21, 2011 at 12:20 PM, Adam Barth <w3c@adambarth.com> wrote:
> On Mon, Feb 21, 2011 at 11:38 AM, sird@rckc.at <sird@rckc.at> wrote:
>> Oh btw, regarding this idea of putting sandbox in a CSP rule.
>>
>> I like it. But I would have preferred if it was the other way around..
>> And let a sandboxed iframe to have CSP rules.
>>
>> Either way, If we have:
>>
>> CSP: sandbox;script-src http://*.google.com
>>
>> What will happen? The rules conflict with each other. I know the
>> answer will be, that no scripts will be allowed.. but that's counter
>> intuitive..
>
> It seems relatively intuitive.  Just think of each CSP directive as
> forbidding things.  Then it's easy to understand how the directives
> combine.
>
>> What about
>>
>> CSP: sandbox allow-scripts;
>>
>> Then script-src and inline-script rules are useless?
>
> The script-src and inline-script directives still work fine in that
> scenario.  Keep in mind that we need to have the interaction between
> CSP and iframe@sandbox be well-defined and sensible because they're
> already easy to combine even without the sandbox directive in CSP.
>
> Adam
>
>
>> On Mon, Feb 21, 2011 at 11:33 AM, gaz Heyes <gazheyes@gmail.com> wrote:
>>> On 21 February 2011 19:21, sird@rckc.at <sird@rckc.at> wrote:
>>>>
>>>> Would be cool if we had a "disallow-navigation" rule which disallow's
>>>> the user to navigate to any links.
>>>
>>> +1
>>>
>>> Same domain navigations restrictions would be awesome
>>>
>>
>

Received on Tuesday, 22 February 2011 00:38:32 UTC