W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [CSP] violation reports for sandbox

From: Daniel Veditz <dveditz@mozilla.com>
Date: Wed, 05 Nov 2014 20:12:30 -0800
Message-ID: <545AF52E.5040605@mozilla.com>
To: Brian Smith <brian@briansmith.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 11/5/2014 7:41 PM, Brian Smith wrote:
> 1. I noticed that the specification for the sandbox directive does not
> say that violations must be reported, though it does say "The sandbox
> directive will be ignored when monitoring a policy, and when contained
> in a policy defined via a meta element." Is that statement intended to
> mean that sandbox directive violations are never reported, or only that
> sandbox directive violations are never reported in report-only mode?

Is there any meaningful way to violate the sandbox directive? It applies
processing rules to a document and the document will always "work" (to
varying extents) within those restrictions.

> 2. Why aren't the reporting rules the same for sandbox as the normal CSP
> directives?

Define "normal directives", and how are the rules different for sandbox?
If we can define a way to violate it then we would certainly want to
report it, but I don't see how a violation is possible.

the frame-ancestors directive is more similar to the sandbox directive
in applying to the way the document itself is loaded than to directives
dealing with content within the document like what I assume you mean by
"normal" directives. But frame-ancestors can cause documents not to load
so there is a violation we can and should report.

-Dan Veditz
Received on Thursday, 6 November 2014 04:12:58 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC