[whatwg] Comments on @sandbox

Ian Hickson ian at hixie.ch
Tue Jan 12 03:47:27 PST 2010

On Thu, 5 Nov 2009, Adam Barth wrote:
> If a page contains a sandboxed frame, the document contained in the 
> frame is only sandboxed because the user encountered the document via 
> the frame.  If the use encounters the same document directly (e.g., in a 
> top-level browsing context), then the document will not be sandboxed.
> I recommend letting servers deliver the sandbox policy both via the 
> sandbox attribute and via an HTTP header.  The value of the HTTP header 
> approach is that the document will be sandboxed in whatever context the 
> user agent loads the document.  For various esoteric reasons, I wrote up 
> a description of how this might work on Mozilla's Wiki: 
> <https://wiki.mozilla.org/Security/CSP/Sandbox>.

Based on our discussion, and inspired by Helen Wang's proposal, I've 
introduced a new MIME type text/sandboxed-html for this case. I expect CSP 
will make this more powerful going forward, but CSP doesn't solve the 
problem for legacy browsers, which this does.

(I'll be doing more work on sandbox="" in the near future. Sorry for not 
getting through all the backlog today.)

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list