- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 12 Jan 2010 11:47:27 +0000 (UTC)
On Thu, 5 Nov 2009, Adam Barth wrote: > > If a page contains a sandboxed frame, the document contained in the > frame is only sandboxed because the user encountered the document via > the frame. If the use encounters the same document directly (e.g., in a > top-level browsing context), then the document will not be sandboxed. > > I recommend letting servers deliver the sandbox policy both via the > sandbox attribute and via an HTTP header. The value of the HTTP header > approach is that the document will be sandboxed in whatever context the > user agent loads the document. For various esoteric reasons, I wrote up > a description of how this might work on Mozilla's Wiki: > <https://wiki.mozilla.org/Security/CSP/Sandbox>. Based on our discussion, and inspired by Helen Wang's proposal, I've introduced a new MIME type text/sandboxed-html for this case. I expect CSP will make this more powerful going forward, but CSP doesn't solve the problem for legacy browsers, which this does. (I'll be doing more work on sandbox="" in the near future. Sorry for not getting through all the backlog today.) -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 12 January 2010 03:47:27 UTC