W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

[CSP] violation reports for sandbox

From: Brian Smith <brian@briansmith.org>
Date: Wed, 5 Nov 2014 19:41:48 -0800
Message-ID: <CAFewVt5tbBGHd8bwhBQ8qGScZ+hJo_fo=hsQ1dyA7QJW-V=p4w@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi,

1. I noticed that the specification for the sandbox directive does not say
that violations must be reported, though it does say "The sandbox directive
will be ignored when monitoring a policy, and when contained in a policy
defined via a meta element." Is that statement intended to mean that
sandbox directive violations are never reported, or only that sandbox
directive violations are never reported in report-only mode?

2. Why aren't the reporting rules the same for sandbox as the normal CSP
directives? It seems like the same the security/privacy considerations are
the same. If there is a reason for the difference, it would be good to note
that reason in the spec.

Cheers,
Brian
Received on Thursday, 6 November 2014 03:42:15 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC