Re: Understanding the security model for the sandbox directive

I think maintaining the sandbox state across navigation is only important in a subframe case because the outer framing content must remain protected across these events. 

For sandboxing applied by the server, it's the server that needs to apply protection uniformly, not the browser.  

e.g. if I want to block script execution on user-contrib.paypal-sandbox.com to help prevent resources there from scripting each other, it doesn't matter if a resource there can navigate to evil.example.com and execute script from that origin - I have standard SOP protections in that case.

If it navigates elsewhere on user-contrib.paypal-sandbox.com, my server can still force the correct sandbox header on that content.

Am I missing something?

Brad Hill
Sr. MTS, Internet Standards and Governance
PayPal Information Risk Management
cell: 206.245.7844 / skype: hillbrad

On Nov 4, 2011, at 9:39 AM, "Adam Barth" <w3c@adambarth.com> wrote:

> On Fri, Nov 4, 2011 at 8:26 AM, dveditz <dveditz@mozilla.com> wrote:
>> What do you mean by "main frame"? The top document, or the document in a
>> <frame> element in the top document?
> 
> The top document.
> 
>> A sandbox directive should apply to any document no matter where loaded, and
>> should not pollute the container it is loaded in for future documents. If we
>> start with those as consistency principles what works and what doesn't?
> 
> The unique origin seems to work, but I'm not sure the other tokens
> work.  The example I gave previously was script execution.  The
> attacker cannot execute script in the sandboxed document itself, but
> he/she can trigger a navigation to another (non-sandboxed) document,
> which can execute script.
> 
>> What model does IE 10 follow? What have they learned from their
>> implementation?
> 
> I'm hoping jrossi can shed some light on that question.
> 
> Adam
>

Received on Friday, 4 November 2011 16:55:50 UTC