- From: Adam Barth <w3c@adambarth.com>
- Date: Fri, 4 Nov 2011 15:53:12 -0700
- To: "Steingruebl, Andy" <asteingruebl@paypal-inc.com>
- Cc: "Hill, Brad" <bhill@paypal-inc.com>, dveditz <dveditz@mozilla.com>, "public-web-security@w3.org" <public-web-security@w3.org>, "jrossi@microsoft.com" <jrossi@microsoft.com>
On Fri, Nov 4, 2011 at 3:42 PM, Steingruebl, Andy <asteingruebl@paypal-inc.com> wrote: >> -----Original Message----- >> From: Adam Barth [mailto:w3c@adambarth.com] > >> 4) If both CSP and the sandbox attribute supply a sandbox policies, they'll be >> merged using the algorithm in the HTML5 spec (which is currently used to >> merge sandbox bits for nested iframes). > > My only question is whether all the security folks fully evaluated the sandbox model in HTML5. If so I'm ok, but if it didn't get a lot of attention I'm fine being in-sync, but let's make any adjustments in the HTML5 spec as necessary. > > I'm just going to assume it implements a model where you can only subtract rights, now add to them, from children, correct? Correct. Adam
Received on Friday, 4 November 2011 22:54:19 UTC