RE: Understanding the security model for the sandbox directive

> -----Original Message-----
> From: Adam Barth [mailto:w3c@adambarth.com]


> 4) If both CSP and the sandbox attribute supply a sandbox policies, they'll be
> merged using the algorithm in the HTML5 spec (which is currently used to
> merge sandbox bits for nested iframes).

My only question is whether all the security folks fully evaluated the sandbox model in HTML5.    If so I'm ok, but if it didn't get a lot of attention I'm fine being in-sync, but let's make any adjustments in the HTML5 spec as necessary.

I'm just going to assume it implements a model where you can only subtract rights, now add to them, from children, correct?

- Andy

Received on Friday, 4 November 2011 22:42:53 UTC