W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [CSP] violation reports for sandbox

From: Deian Stefan <deian@cs.stanford.edu>
Date: Wed, 05 Nov 2014 20:20:14 -0800
To: Brian Smith <brian@briansmith.org>, "public-webappsec\@w3.org" <public-webappsec@w3.org>
Message-ID: <87egtht0xt.fsf@cs.stanford.edu>

Brian Smith <brian@briansmith.org> writes:
> 1. I noticed that the specification for the sandbox directive does not say
> that violations must be reported, though it does say "The sandbox directive
> will be ignored when monitoring a policy, and when contained in a policy
> defined via a meta element." Is that statement intended to mean that
> sandbox directive violations are never reported, or only that sandbox
> directive violations are never reported in report-only mode?

The statement AFAICT means that the underlying sandbox flags are not set
so the directive and any reporting as a result of violations are ignored
and not reported. Both FF and Chrome do however warn that the directive
is ignored.

> 2. Why aren't the reporting rules the same for sandbox as the normal CSP
> directives? It seems like the same the security/privacy considerations are
> the same. If there is a reason for the difference, it would be good to note
> that reason in the spec.

To add to this: it would be useful if the HTML spec (which I guess the
CSP spec piggybacks on for sandbox) said something about warnings: I
don't think Chrome and FF are consistent here.

Best,
Deian

Received on Thursday, 6 November 2014 04:20:36 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC