Re: Understanding the security model for the sandbox directive

On Fri, 4 Nov 2011, Adam Barth wrote:
> 2) Refuse to load documents with a CSP sandbox directive in the main 
> frame.  Site can, of course, continue to load them in subframes.  We 
> could then apply the sandbox policy to the iframe and all future 
> documents that load in that frame.  There's no "poisoning" issues as 
> above because navigating the main frame clears out the policy.
> Of these choices, I favor (2) because I think the main use case for this 
> feature is for documents intended to be loaded in subframes rather than 
> documents loaded in the main frame.

When would it be preferable to do this rather than just using sandbox="" 
on the <iframe>?

Ian Hickson               U+1047E                )\._.,--....,'``.    fL       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Wednesday, 9 November 2011 23:52:12 UTC