- From: Brian Smith <brian@briansmith.org>
- Date: Wed, 5 Nov 2014 19:41:48 -0800
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Thursday, 6 November 2014 03:42:15 UTC
Hi, 1. I noticed that the specification for the sandbox directive does not say that violations must be reported, though it does say "The sandbox directive will be ignored when monitoring a policy, and when contained in a policy defined via a meta element." Is that statement intended to mean that sandbox directive violations are never reported, or only that sandbox directive violations are never reported in report-only mode? 2. Why aren't the reporting rules the same for sandbox as the normal CSP directives? It seems like the same the security/privacy considerations are the same. If there is a reason for the difference, it would be good to note that reason in the spec. Cheers, Brian
Received on Thursday, 6 November 2014 03:42:15 UTC