Re: [CSP] violation reports for sandbox

Daniel Veditz <dveditz@mozilla.com> wrote:
> Is there any meaningful way to violate the sandbox directive? It applies
> processing rules to a document and the document will always "work" (to
> varying extents) within those restrictions.

For most CSP directives, when something is blocked/disabled, a
violation report is sent. But, apparently not for "sandbox". One might
expect a violation report, for example, if "allow-forms" is not set
and a form is encountered, or "allow-scripts" is not set and a script
is encountered.

>> 2. Why aren't the reporting rules the same for sandbox as the normal CSP
>> directives?
>
> Define "normal directives", and how are the rules different for sandbox?
> If we can define a way to violate it then we would certainly want to
> report it, but I don't see how a violation is possible.

The reason I'm asking these questions is so I can define "normal
directives" in some useful way.

IIUC, CSP sandbox doesn't block anything, but rather just tells HTML5
sandbox what to block. IMO, that is a distinction without a
difference. It basically comes down to "HTML5 sandbox isn't part of
CSP and CSP isn't part of HTML5 so there's no expectation of
consistency" which is hopefully a temporary state. Regardless, that
can be resolved later.

> the frame-ancestors directive is more similar to the sandbox directive
> in applying to the way the document itself is loaded than to directives
> dealing with content within the document like what I assume you mean by
> "normal" directives. But frame-ancestors can cause documents not to load
> so there is a violation we can and should report.

Please see my other message about the problem with reporting
violations for frame-ancestors.

Based on your response and others' responses, it is now clear to me
that CSP sandbox should not cause violation reports. I think that
makes sense and I hope that is also the case for frame-ancestors too.

Cheers,
Brian

Received on Thursday, 6 November 2014 22:50:26 UTC