W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2013

Re: [webappsec] CSP reporting and sandbox directive

From: Daniel Veditz <dveditz@mozilla.com>
Date: Wed, 26 Jun 2013 19:25:57 -0700
Message-ID: <51CBA2B5.5090106@mozilla.com>
To: "Hill, Brad" <bhill@paypal-inc.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>, "jacob.rossi@microsoft.com" <jacob.rossi@microsoft.com>
On 6/26/2013 4:28 PM, Hill, Brad wrote:
> Is it clear what the event model for violations here is?

For the other CSP directives a violation represents something unexpected
that is actually present in your content. Might be a bug (in the content
or the CSP policy) or it might be injected. Reporting this lets the site
authors fix their site.

It's not clear to me that there _are_ sandbox violations. It doesn't
declare an invariant, it provides processing rules: "ignore scripts in
this context", "treat as a unique origin".

"frame-option" violations are also problematic. What is a site author
expected to do about it? There's nothing to clean up in their own site,
someone somewhere is trying to include them. Pass along the including
page so the site can send cease and desist letters? But except in the
nested case the site already could get the referers from their logs.

-Dan Veditz

Received on Thursday, 27 June 2013 02:26:25 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:33 UTC