Re: [CSP] violation reports for sandbox

Additionally, I believe, you can get what is equivalent to violation
reports for violations of (dis) allow-scripts (dis) allow-forms via
the appropriate script-src and form-action directives.

What remains is violations of allow-same-origin and
allow-top-navigation, which as Dan pointed out have I think a harder
to define concept of violations.


On 5 November 2014 20:12, Daniel Veditz <> wrote:
> On 11/5/2014 7:41 PM, Brian Smith wrote:
>> 1. I noticed that the specification for the sandbox directive does not
>> say that violations must be reported, though it does say "The sandbox
>> directive will be ignored when monitoring a policy, and when contained
>> in a policy defined via a meta element." Is that statement intended to
>> mean that sandbox directive violations are never reported, or only that
>> sandbox directive violations are never reported in report-only mode?
> Is there any meaningful way to violate the sandbox directive? It applies
> processing rules to a document and the document will always "work" (to
> varying extents) within those restrictions.
>> 2. Why aren't the reporting rules the same for sandbox as the normal CSP
>> directives?
> Define "normal directives", and how are the rules different for sandbox?
> If we can define a way to violate it then we would certainly want to
> report it, but I don't see how a violation is possible.
> the frame-ancestors directive is more similar to the sandbox directive
> in applying to the way the document itself is loaded than to directives
> dealing with content within the document like what I assume you mean by
> "normal" directives. But frame-ancestors can cause documents not to load
> so there is a violation we can and should report.
> -Dan Veditz

Received on Thursday, 6 November 2014 04:21:12 UTC