[CSP] violation reports for sandbox


1. I noticed that the specification for the sandbox directive does not say
that violations must be reported, though it does say "The sandbox directive
will be ignored when monitoring a policy, and when contained in a policy
defined via a meta element." Is that statement intended to mean that
sandbox directive violations are never reported, or only that sandbox
directive violations are never reported in report-only mode?

2. Why aren't the reporting rules the same for sandbox as the normal CSP
directives? It seems like the same the security/privacy considerations are
the same. If there is a reason for the difference, it would be good to note
that reason in the spec.


Received on Thursday, 6 November 2014 03:42:15 UTC