Re: [CSP] violation reports for sandbox

On 11/5/2014 7:41 PM, Brian Smith wrote:
> 1. I noticed that the specification for the sandbox directive does not
> say that violations must be reported, though it does say "The sandbox
> directive will be ignored when monitoring a policy, and when contained
> in a policy defined via a meta element." Is that statement intended to
> mean that sandbox directive violations are never reported, or only that
> sandbox directive violations are never reported in report-only mode?

Is there any meaningful way to violate the sandbox directive? It applies
processing rules to a document and the document will always "work" (to
varying extents) within those restrictions.

> 2. Why aren't the reporting rules the same for sandbox as the normal CSP
> directives?

Define "normal directives", and how are the rules different for sandbox?
If we can define a way to violate it then we would certainly want to
report it, but I don't see how a violation is possible.

the frame-ancestors directive is more similar to the sandbox directive
in applying to the way the document itself is loaded than to directives
dealing with content within the document like what I assume you mean by
"normal" directives. But frame-ancestors can cause documents not to load
so there is a violation we can and should report.

-Dan Veditz

Received on Thursday, 6 November 2014 04:12:58 UTC