- From: Adam Barth <w3c@adambarth.com>
- Date: Wed, 9 Nov 2011 15:55:12 -0800
- To: Ian Hickson <ian@hixie.ch>
- Cc: public-web-security@w3.org, Jacob Rossi <jrossi@microsoft.com>
On Wed, Nov 9, 2011 at 3:51 PM, Ian Hickson <ian@hixie.ch> wrote: > On Fri, 4 Nov 2011, Adam Barth wrote: >> >> 2) Refuse to load documents with a CSP sandbox directive in the main >> frame. Site can, of course, continue to load them in subframes. We >> could then apply the sandbox policy to the iframe and all future >> documents that load in that frame. There's no "poisoning" issues as >> above because navigating the main frame clears out the policy. >> >> Of these choices, I favor (2) because I think the main use case for this >> feature is for documents intended to be loaded in subframes rather than >> documents loaded in the main frame. > > When would it be preferable to do this rather than just using sandbox="" > on the <iframe>? The issue is that an attacker can load the document in a frame that lacks the sandbox attribute. The server hosting the content wishes for it to be sandboxed whenever possible. Adam
Received on Wednesday, 9 November 2011 23:56:13 UTC