Re: Understanding the security model for the sandbox directive

On Fri, Nov 4, 2011 at 3:42 PM, Steingruebl, Andy
<> wrote:
>> -----Original Message-----
>> From: Adam Barth []
>> 4) If both CSP and the sandbox attribute supply a sandbox policies, they'll be
>> merged using the algorithm in the HTML5 spec (which is currently used to
>> merge sandbox bits for nested iframes).
> My only question is whether all the security folks fully evaluated the sandbox model in HTML5.    If so I'm ok, but if it didn't get a lot of attention I'm fine being in-sync, but let's make any adjustments in the HTML5 spec as necessary.
> I'm just going to assume it implements a model where you can only subtract rights, now add to them, from children, correct?



Received on Friday, 4 November 2011 22:54:19 UTC