- From: Adam Barth <w3c@adambarth.com>
- Date: Fri, 4 Nov 2011 09:37:20 -0700
- To: dveditz <dveditz@mozilla.com>
- Cc: public-web-security@w3.org, jrossi@microsoft.com
On Fri, Nov 4, 2011 at 8:26 AM, dveditz <dveditz@mozilla.com> wrote: > What do you mean by "main frame"? The top document, or the document in a > <frame> element in the top document? The top document. > A sandbox directive should apply to any document no matter where loaded, and > should not pollute the container it is loaded in for future documents. If we > start with those as consistency principles what works and what doesn't? The unique origin seems to work, but I'm not sure the other tokens work. The example I gave previously was script execution. The attacker cannot execute script in the sandboxed document itself, but he/she can trigger a navigation to another (non-sandboxed) document, which can execute script. > What model does IE 10 follow? What have they learned from their > implementation? I'm hoping jrossi can shed some light on that question. Adam
Received on Friday, 4 November 2011 16:38:29 UTC