Brian Smith <brian@briansmith.org> writes: > 1. I noticed that the specification for the sandbox directive does not say > that violations must be reported, though it does say "The sandbox directive > will be ignored when monitoring a policy, and when contained in a policy > defined via a meta element." Is that statement intended to mean that > sandbox directive violations are never reported, or only that sandbox > directive violations are never reported in report-only mode? The statement AFAICT means that the underlying sandbox flags are not set so the directive and any reporting as a result of violations are ignored and not reported. Both FF and Chrome do however warn that the directive is ignored. > 2. Why aren't the reporting rules the same for sandbox as the normal CSP > directives? It seems like the same the security/privacy considerations are > the same. If there is a reason for the difference, it would be good to note > that reason in the spec. To add to this: it would be useful if the HTML spec (which I guess the CSP spec piggybacks on for sandbox) said something about warnings: I don't think Chrome and FF are consistent here. Best, DeianReceived on Thursday, 6 November 2014 04:20:36 UTC
This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC