W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [CSP] violation reports for sandbox

From: Brian Smith <brian@briansmith.org>
Date: Mon, 19 Jan 2015 14:07:22 -0800
Message-ID: <CAFewVt6A6KjKhCUUzCgwL9p3LcsaQ4OdYc=r-+jjQe+0i3cvMw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Daniel Veditz <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Mike West <mkwst@google.com> wrote:
> On Thu, Nov 6, 2014 at 11:49 PM, Brian Smith <brian@briansmith.org> wrote:
>> Based on your response and others' responses, it is now clear to me
>> that CSP sandbox should not cause violation reports. I think that
>> makes sense and I hope that is also the case for frame-ancestors too.
>
> I've explicitly addressed this in
> https://github.com/w3c/webappsec/commit/971dd0916a7dcb558d3433278203c6930902c281.
> WDYT?

Looks good. I think it would be good to also list the things that
aren't supported in <meta> in a note in section 3.3, which specifies
the <meta> element. This way, the limitations of the <meta> element
become clearer. Additionally, I think there should be a suggestion
that the user agent should issue a warning when a directive is
detected in a <meta> element that isn't supported in the meta element.

Also, is it still intended that Content-Security-Policy-Report-Only
isn't allowed in <meta>? I thought that this restriction was included
back when <meta>- and header-field- specified policies were mutually
exclusive, but now that those rules have changed, does it still make
sense to prohibit <meta
http-equiv=Content-Security-Policy-Report-Only>?

Cheers,
Brian
Received on Monday, 19 January 2015 22:07:49 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC