- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 5 Dec 2011 23:05:29 -0800
I wrote some somewhat goofy text in the CSP spec trying to integrate the sandbox directive with HTML's iframe sandbox machinery. Hixie and I chatted in #whatwg about how best to do the integration. I think Hixie is going to refactor the machinery in the spec to be a bit more generic and to call out to the CSP spec to get the sandbox flags from the CSP policy. There are more details in the IRC log below. Thanks, Adam [06:43am] abarth: Hixie: do you have a moment to tell me how nutty this text about sandbox flags is? http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#sandbox [06:43am] abarth: "When enforcing the sandbox directive, the user agent must set the sandbox flags for the protected document as if the document where contained in a nested browsing context within a document with sandbox flags given by the the directive-value." [06:45am] Hixie: hrm [06:45am] abarth: i don't think its quite right [06:45am] abarth: i couldn't find a good hook in HTML for this [06:45am] Hixie: what you probably want to do is set some hook that i can then do the right magic with [06:46am] Hixie: rather than try to poke the html spec flags [06:46am] abarth: ok [06:46am] Hixie: because the flags you have to set are pretty complex and subtle [06:46am] Hixie: and involve the navigation algorithm, etc [06:46am] abarth: how about the "CSP sandbox flags" as a property of a Document [06:46am] abarth: which will be a string like you'd get in the iframe attribute? [06:46am] abarth: so HTML handles the parsing [06:46am] Hixie: has to be on a browsing context, not a document [06:46am] Hixie: doesn't make sense to sandbox a document [06:46am] abarth: why not? [06:47am] abarth: sorry, let me ask a different question [06:47am] abarth: is a browsing context preserved across navigations? [06:47am] Hixie: yes [06:48am] Hixie: but the flags can change during the lifetime of the browsing context [06:48am] abarth: ah [06:48am] abarth: ok [06:48am] Hixie: what matters to all teh security stuff is the state when the browsing context was last navigated [06:49am] Hixie: e.g. "if... its browsing context had its sandboxed forms browsing context flag set when the Document was created ..." [06:49am] abarth: i see [06:49am] Margle joined the chat room. [06:49am] Hixie: but the net result is that you have to set the flags before the document is created [06:49am] abarth: do we have the response headers when the document is created? [06:49am] Hixie: er, before the Document is created [06:49am] Hixie: sure [06:49am] Hixie: assuming it came over HTTP [06:50am] abarth: ok, so when the document is created, HTML needs to ask about the CSP policy for the document [06:50am] abarth: or for the response [06:50am] Hixie: we get the headers by navigate step 19 or so (type sniffing step), we create the document as a side-effect of step 20 (the switch statement that relies on the sniffed type) [06:51am] abarth: Upon receiving an HTTP response containing ... [06:51am] abarth: that's when the CSP policy starts getting enforced [06:51am] abarth: "Upon receiving an HTTP response containing at least one Content-Security-Policy header field, the user agent must enforce the combination of all the policies contained in these header fields." [06:52am] Hixie: so... what happens if the page navigates itself to a page without the CSP? [06:52am] Hixie: or does a history.back() to a accomplice page that isn't sandboxed? [06:52am] abarth: that's fine [06:53am] abarth: consider the unique-origin sandbox bits [06:53am] abarth: or the disable-script [06:53am] Hixie: k [06:53am] abarth: those make sense on a per-document basisi [06:53am] Hixie: so when do we reset the flags? [06:53am] abarth: each navigation [06:54am] abarth: what actually happens in the implementation is that we copy the sandbox flags from the Frame to the Document when the document is created [06:54am] abarth: because we're supposed to freeze the sandbox flags [06:54am] abarth: we enquire about the CSP policy at that time [06:54am] abarth: that happens each time a new document is loaded into a Frame [06:54am] Hixie: hmm... the document is created before the session history change happens [06:55am] Hixie: so we'd have to reset the flags before the old document is removed... [06:55am] Hixie: might make sense to just set the flags temporarily while the document is being created or something [06:55am] Hixie: how is this supposed to interact with the sandbox attribute? union? [06:55am] abarth: can we not just set them on the document when we copy the state to the document? [06:56am] abarth: Hixie: its the same combination operator that happens when you have nested iframes [06:56am] abarth: that each contribute a sandbox attribute [06:57am] Hixie: hmmm [06:57am] Hixie: so the way it works for nested iframes is that setting the flag on an iframe just forces it on for all descendants iframes [06:58am] abarth: yeah, so the union [06:58am] abarth: (assuming the items are things like "sandboxed scripts browsing context flag") [06:58am] Hixie: the precise text right now is "In addition, any browsing contexts nested within an iframe, either directly or indirectly, must have all the flags set on them as were set on the iframe's Document's browsing context when the iframe's Document was created." [06:59am] Hixie: so i guess i'd just change that to "nested within a browsing context" [06:59am] Hixie: and change the other "iframe"s to "browsing context" [06:59am] abarth: yes [07:00am] abarth: "iframe's Document's browsing context when the iframe's Document was created" [07:00am] abarth: that state gets represented in the implementation [07:00am] abarth: explicitly as a property of the document [07:00am] Hixie: sigh, probably makes sense to just hoist all this stuff up to a generic section [07:00am] Hixie: and then invoke it from iframe creation and from navigation [07:00am] Hixie: or something [07:00am] Hixie: and maybe do your "freeze on document" thing at the same time [07:00am] Hixie: for clarity [07:00am] abarth: sorry to make work for you [07:00am] Hixie: no worries [07:00am] Hixie: tis my job [07:01am] Hixie: can you file a bug or send mail about it? reference this irc log if you can [07:01am] abarth: sure [07:01am] Hixie: probably won't happen until early next year [07:01am] abarth: yeah, there's no rush [07:01am] Hixie: k [07:01am] abarth: thanks
Received on Monday, 5 December 2011 23:05:29 UTC