- From: Deian Stefan <deian@cs.stanford.edu>
- Date: Wed, 05 Nov 2014 20:20:14 -0800
- To: Brian Smith <brian@briansmith.org>, "public-webappsec\@w3.org" <public-webappsec@w3.org>
Received on Thursday, 6 November 2014 04:20:36 UTC
Brian Smith <brian@briansmith.org> writes: > 1. I noticed that the specification for the sandbox directive does not say > that violations must be reported, though it does say "The sandbox directive > will be ignored when monitoring a policy, and when contained in a policy > defined via a meta element." Is that statement intended to mean that > sandbox directive violations are never reported, or only that sandbox > directive violations are never reported in report-only mode? The statement AFAICT means that the underlying sandbox flags are not set so the directive and any reporting as a result of violations are ignored and not reported. Both FF and Chrome do however warn that the directive is ignored. > 2. Why aren't the reporting rules the same for sandbox as the normal CSP > directives? It seems like the same the security/privacy considerations are > the same. If there is a reason for the difference, it would be good to note > that reason in the spec. To add to this: it would be useful if the HTML spec (which I guess the CSP spec piggybacks on for sandbox) said something about warnings: I don't think Chrome and FF are consistent here. Best, Deian
Received on Thursday, 6 November 2014 04:20:36 UTC