- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Wed, 5 Nov 2014 20:20:24 -0800
- To: Daniel Veditz <dveditz@mozilla.com>
- Cc: Brian Smith <brian@briansmith.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Additionally, I believe, you can get what is equivalent to violation reports for violations of (dis) allow-scripts (dis) allow-forms via the appropriate script-src and form-action directives. What remains is violations of allow-same-origin and allow-top-navigation, which as Dan pointed out have I think a harder to define concept of violations. --dev On 5 November 2014 20:12, Daniel Veditz <dveditz@mozilla.com> wrote: > On 11/5/2014 7:41 PM, Brian Smith wrote: >> 1. I noticed that the specification for the sandbox directive does not >> say that violations must be reported, though it does say "The sandbox >> directive will be ignored when monitoring a policy, and when contained >> in a policy defined via a meta element." Is that statement intended to >> mean that sandbox directive violations are never reported, or only that >> sandbox directive violations are never reported in report-only mode? > > Is there any meaningful way to violate the sandbox directive? It applies > processing rules to a document and the document will always "work" (to > varying extents) within those restrictions. > >> 2. Why aren't the reporting rules the same for sandbox as the normal CSP >> directives? > > Define "normal directives", and how are the rules different for sandbox? > If we can define a way to violate it then we would certainly want to > report it, but I don't see how a violation is possible. > > the frame-ancestors directive is more similar to the sandbox directive > in applying to the way the document itself is loaded than to directives > dealing with content within the document like what I assume you mean by > "normal" directives. But frame-ancestors can cause documents not to load > so there is a violation we can and should report. > > -Dan Veditz >
Received on Thursday, 6 November 2014 04:21:12 UTC