[CSP] violation reports for sandbox from Brian Smith on 2014-11-06 (public-webappsec@w3.org from November 2014)

From: Brian Smith <brian@briansmith.org>
Date: Wed, 5 Nov 2014 19:41:48 -0800
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAFewVt5tbBGHd8bwhBQ8qGScZ+hJo_fo=hsQ1dyA7QJW-V=p4w@mail.gmail.com>

Hi,

1. I noticed that the specification for the sandbox directive does not say
that violations must be reported, though it does say "The sandbox directive
will be ignored when monitoring a policy, and when contained in a policy
defined via a meta element." Is that statement intended to mean that
sandbox directive violations are never reported, or only that sandbox
directive violations are never reported in report-only mode?

2. Why aren't the reporting rules the same for sandbox as the normal CSP
directives? It seems like the same the security/privacy considerations are
the same. If there is a reason for the difference, it would be good to note
that reason in the spec.

Cheers,
Brian

Received on Thursday, 6 November 2014 03:42:15 UTC