W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2012

Re: CSP and cross-frame communication

From: David Bruant <bruant.d@gmail.com>
Date: Wed, 15 Feb 2012 10:27:13 +0100
Message-ID: <4F3B7A71.2030001@gmail.com>
To: "Hill, Brad" <bhill@paypal-inc.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi Brad,

Le 15/02/2012 00:01, Hill, Brad a écrit :
>    It sounds like what you're asking for is a way to prohibit cross-frame interactions that would normally be allowed by the Same Origin Policy, except through structured channels like postMessage.
It is :-)

>    One of the major aspects of the sandbox directive (should it eventually be supported in CSP) is that a sandboxed resource is forced into a unique origin.
Is it unique per URL? For instance, if I open an iframe of the exact 
same URL as the opening page, will both have the same origin? My wish 
would be that no.
Can this unique origin be "tranfered" in some way?

> I believe this would achieve the effect you intend - if not, perhaps a counter-example would clarify things?
I had missed the "unique origin" part of sandboxes, so I need to study 
more the implication of this, but it seems to achieve what I need indeed 
(assuming answers from above questions are satisfying). Thanks for 
pointing it out.

However, it raises some questions.
The sandbox attribute (and I'm assuming the sandbox directive as well) 
defines an "allow-scripts" keyword.
What are the interactions between the different values of 
"allow-scripts" and the values of the "script-src" directive.
About the sandbox attribute, HTML Standard mentions: "the 'allow-forms' 
and 'allow-scripts' keywords re-enable forms and scripts respectively 
(though scripts are still prevented from creating popups)."

How does this "prevent creating popup" interacts with the script-src 

Thanks for your answer,

Received on Wednesday, 15 February 2012 09:27:49 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:26 UTC