- From: David Bruant <bruant.d@gmail.com>
- Date: Wed, 15 Feb 2012 10:27:13 +0100
- To: "Hill, Brad" <bhill@paypal-inc.com>
- CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi Brad, Le 15/02/2012 00:01, Hill, Brad a écrit : > It sounds like what you're asking for is a way to prohibit cross-frame interactions that would normally be allowed by the Same Origin Policy, except through structured channels like postMessage. It is :-) > One of the major aspects of the sandbox directive (should it eventually be supported in CSP) is that a sandboxed resource is forced into a unique origin. Is it unique per URL? For instance, if I open an iframe of the exact same URL as the opening page, will both have the same origin? My wish would be that no. Can this unique origin be "tranfered" in some way? > I believe this would achieve the effect you intend - if not, perhaps a counter-example would clarify things? I had missed the "unique origin" part of sandboxes, so I need to study more the implication of this, but it seems to achieve what I need indeed (assuming answers from above questions are satisfying). Thanks for pointing it out. However, it raises some questions. The sandbox attribute (and I'm assuming the sandbox directive as well) defines an "allow-scripts" keyword. What are the interactions between the different values of "allow-scripts" and the values of the "script-src" directive. About the sandbox attribute, HTML Standard mentions: "the 'allow-forms' and 'allow-scripts' keywords re-enable forms and scripts respectively (though scripts are still prevented from creating popups)." How does this "prevent creating popup" interacts with the script-src directive? Thanks for your answer, David
Received on Wednesday, 15 February 2012 09:27:49 UTC