W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [CSP] violation reports for sandbox

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Wed, 5 Nov 2014 20:20:24 -0800
Message-ID: <CAPfop_3khHNH2T4QLA1HNOAXqUt3DSSOPWiuWP_2Nbq=ASnGzA@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Brian Smith <brian@briansmith.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Additionally, I believe, you can get what is equivalent to violation
reports for violations of (dis) allow-scripts (dis) allow-forms via
the appropriate script-src and form-action directives.

What remains is violations of allow-same-origin and
allow-top-navigation, which as Dan pointed out have I think a harder
to define concept of violations.

--dev

On 5 November 2014 20:12, Daniel Veditz <dveditz@mozilla.com> wrote:
> On 11/5/2014 7:41 PM, Brian Smith wrote:
>> 1. I noticed that the specification for the sandbox directive does not
>> say that violations must be reported, though it does say "The sandbox
>> directive will be ignored when monitoring a policy, and when contained
>> in a policy defined via a meta element." Is that statement intended to
>> mean that sandbox directive violations are never reported, or only that
>> sandbox directive violations are never reported in report-only mode?
>
> Is there any meaningful way to violate the sandbox directive? It applies
> processing rules to a document and the document will always "work" (to
> varying extents) within those restrictions.
>
>> 2. Why aren't the reporting rules the same for sandbox as the normal CSP
>> directives?
>
> Define "normal directives", and how are the rules different for sandbox?
> If we can define a way to violate it then we would certainly want to
> report it, but I don't see how a violation is possible.
>
> the frame-ancestors directive is more similar to the sandbox directive
> in applying to the way the document itself is loaded than to directives
> dealing with content within the document like what I assume you mean by
> "normal" directives. But frame-ancestors can cause documents not to load
> so there is a violation we can and should report.
>
> -Dan Veditz
>
Received on Thursday, 6 November 2014 04:21:12 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC