- From: <sird@rckc.at>
- Date: Tue, 22 Feb 2011 01:31:44 -0800
- To: Adam Barth <w3c@adambarth.com>
- Cc: gaz Heyes <gazheyes@gmail.com>, public-web-security@w3.org
Oh, I wasn't aware that the "default-do-noting" was really happening. -- Eduardo On Tue, Feb 22, 2011 at 1:16 AM, Adam Barth <w3c@adambarth.com> wrote: > I don't think the situation is as tricky as you make it out to be, > especially if we go the route of an empty CSP policy not implying > inline script restrictions, which seems likely. > > Adam > > > On Tue, Feb 22, 2011 at 1:11 AM, sird@rckc.at <sird@rckc.at> wrote: >> @gaz, it's defined in iframe element > sandbox attribute in HTML 5. >> http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-iframe-sandbox >> >> dross@ had concerns about this as well.. The good news is that it's >> not implemented by opera/IE yet.. which are the ones that deal with >> about: URIs weird. >> >>> It works exactly the same as the sandbox attribute on iframes. It's >>> not any more or less complicated or surprising than that. >> I think it's complicated because I'm confused :). >> >> So, I can imagine writing a tutorial for webmasters.. in the lines of: >> >> You have this rules for CSP: allow/default-src, script-src, options, etc.. >> >> And you also have the "sandbox" rule.. when you set that one, then >> forget about the ones you just used.. because you have to do the same >> thing again. >> >> If you used "script-src" or "inline-scripts" in options, then you have >> to add "allow-scripts". >> >> If you want forms, remember to add "allow-forms". >> >> Also, please remember that unless you want your code to be in a unique >> origin, add "allow-same-origin", which has the same use as >> "text/html-sandboxed" content-type. >> >> There's also a "allow-top-navigation" rule, that you have to set, if >> you want yourself or any of your frame childs to navigate the top >> page.. >> >> Now, if you wanted to use plugins, such as flash.. you are out of luck >> until an endless W3C discussion is done and all plugin vendors agree >> on some way to do so, which may take till 2014. >> >> Also, please remember that just setting "sandbox allow-scripts" will >> not actually allow scripts, you should set >> script-src/default-src/etc.. as well. >> >> By the way, it's not all bad news, the reason you have "sandbox" here >> is so you can sandbox context in a unique origin that isn't HTML.. >> (or, are there any other advantages?) >> >> Greetings!! >> >> -- Eduardo >> >> >> >> >> On Tue, Feb 22, 2011 at 12:52 AM, gaz Heyes <gazheyes@gmail.com> wrote: >>> On 22 February 2011 00:42, Adam Barth <w3c@adambarth.com> wrote: >>>> >>>> > 1. When sandbox kicks in, I get a unique origin right? >>>> >>>> Yes. >>> >>> How does this unique origin work? I can't find it defined anywhere. I see a >>> couple of problems with it.... >>> >>> 1. If the unique origin is defined in the url what happens when a link is >>> clicked, does it send the referrer? >>> 2. If the unique origin is different than the URL itself then how can that >>> work since same origin policy will be broken >>> 3. Lets say the unique origin uses the about protocol, is each unique >>> protocol classed as a separate domain on each browser, e.g. about:1, about:2 >>> can you set cookies on about:1 then can be read by about:2 >>> 4. What if a sandbox allows JavaScript and the location is written >>> somewhere, would that expose the unique origin? >>> >>> >> >
Received on Tuesday, 22 February 2011 09:32:37 UTC