W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2012

Keeping sandbox directive in CSP 1.0

From: Jacob Rossi <Jacob.Rossi@microsoft.com>
Date: Tue, 15 May 2012 20:27:09 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
CC: Adrian Bateman <adrianba@microsoft.com>
Message-ID: <D0BC8E77E79D9846B61A2432D1BA4EAE063DE2C4@TK5EX14MBXC288.redmond.corp.microsoft.com>
Hi folks,

Since it's our off week for a telecon, I wanted to continue our discussion about the sandbox directive staying in the 1.0 spec (rather than postponing to 1.1).

Microsoft believes that the HTML5 Sandbox feature is incomplete without a corresponding server side mechanism for enforcing sandbox restrictions.  As an example, this is impactful for scenarios where a page is normally hosted in a sandboxed iframe but the somehow the user is misled to navigate directly to the content (escaping the iframe sandbox).

We believe this feature is ready and stable for web developers to start using today. Keeping it in the 1.0 spec codifies that and helps us encourage web developers to use the feature to further secure their site, quelling fears by web developers of the feature changing out from under them. At TPAC and in previous telecons, we've discussed whether this should be in the 1.0 spec before--consensus at the time was to include it in 1.0.

We do not see any technical or procedural reason that would warrant delaying this useful feature. There currently are no open technical issues on how the feature works, we have good spec text for the description, and there are two interoperable implementations (webkit and IE10).

We think it's best for the Web that the sandbox directive stay in the 1.0 spec. There were a couple folks who disagreed with that on our last call, so I'd like to continue that discussion so that we can come to a true resolution on this issue.


Received on Tuesday, 15 May 2012 20:27:50 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:28 UTC