- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Wed, 05 Nov 2014 20:12:30 -0800
- To: Brian Smith <brian@briansmith.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 11/5/2014 7:41 PM, Brian Smith wrote: > 1. I noticed that the specification for the sandbox directive does not > say that violations must be reported, though it does say "The sandbox > directive will be ignored when monitoring a policy, and when contained > in a policy defined via a meta element." Is that statement intended to > mean that sandbox directive violations are never reported, or only that > sandbox directive violations are never reported in report-only mode? Is there any meaningful way to violate the sandbox directive? It applies processing rules to a document and the document will always "work" (to varying extents) within those restrictions. > 2. Why aren't the reporting rules the same for sandbox as the normal CSP > directives? Define "normal directives", and how are the rules different for sandbox? If we can define a way to violate it then we would certainly want to report it, but I don't see how a violation is possible. the frame-ancestors directive is more similar to the sandbox directive in applying to the way the document itself is loaded than to directives dealing with content within the document like what I assume you mean by "normal" directives. But frame-ancestors can cause documents not to load so there is a violation we can and should report. -Dan Veditz
Received on Thursday, 6 November 2014 04:12:58 UTC