- From: Hill, Brad <bhill@paypal-inc.com>
- Date: Fri, 4 Nov 2011 11:06:45 -0600
- To: Adam Barth <w3c@adambarth.com>
- CC: dveditz <dveditz@mozilla.com>, "public-web-security@w3.org" <public-web-security@w3.org>, "jrossi@microsoft.com" <jrossi@microsoft.com>
I would say yes, if a page wants protections from content in an iframe, it must to set the policy itself, not expect the server to. Basically, if you think the iframed content is potentially untrustworthy and needs a sandbox, why would you trust it to sandbox itself? Brad Hill Sr. MTS, Internet Standards and Governance PayPal Information Risk Management cell: 206.245.7844 / skype: hillbrad On Nov 4, 2011, at 10:00 AM, "Adam Barth" <w3c@adambarth.com> wrote: > What about the case when user-contrib.paypal-sandbox.com is loaded in > an iframe? Should we persist the sandbox bits from CSP across > navigation then, or is it the responsibility of the embedding page to > include the sandbox attribute on the iframe they point at > user-contrib.paypal-sandbox.com? > > Adam > > > On Fri, Nov 4, 2011 at 9:55 AM, Hill, Brad <bhill@paypal-inc.com> wrote: >> I think maintaining the sandbox state across navigation is only important in a subframe case because the outer framing content must remain protected across these events. >> >> For sandboxing applied by the server, it's the server that needs to apply protection uniformly, not the browser. >> >> e.g. if I want to block script execution on user-contrib.paypal-sandbox.com to help prevent resources there from scripting each other, it doesn't matter if a resource there can navigate to evil.example.com and execute script from that origin - I have standard SOP protections in that case. >> >> If it navigates elsewhere on user-contrib.paypal-sandbox.com, my server can still force the correct sandbox header on that content. >> >> Am I missing something? >> >> Brad Hill >> Sr. MTS, Internet Standards and Governance >> PayPal Information Risk Management >> cell: 206.245.7844 / skype: hillbrad >> >> On Nov 4, 2011, at 9:39 AM, "Adam Barth" <w3c@adambarth.com> wrote: >> >>> On Fri, Nov 4, 2011 at 8:26 AM, dveditz <dveditz@mozilla.com> wrote: >>>> What do you mean by "main frame"? The top document, or the document in a >>>> <frame> element in the top document? >>> >>> The top document. >>> >>>> A sandbox directive should apply to any document no matter where loaded, and >>>> should not pollute the container it is loaded in for future documents. If we >>>> start with those as consistency principles what works and what doesn't? >>> >>> The unique origin seems to work, but I'm not sure the other tokens >>> work. The example I gave previously was script execution. The >>> attacker cannot execute script in the sandboxed document itself, but >>> he/she can trigger a navigation to another (non-sandboxed) document, >>> which can execute script. >>> >>>> What model does IE 10 follow? What have they learned from their >>>> implementation? >>> >>> I'm hoping jrossi can shed some light on that question. >>> >>> Adam >>> >>
Received on Friday, 4 November 2011 17:07:26 UTC