Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable cross-origin features on sandboxed pages #162

Closed
devd opened this issue May 7, 2018 · 2 comments
Closed

Disable cross-origin features on sandboxed pages #162

devd opened this issue May 7, 2018 · 2 comments
Labels
feedback

Comments

@devd
Copy link

devd commented May 7, 2018

If a top level document sandboxes itself using "CSP: sandbox" to sandbox itself, feature policy should treat it as a cross-origin document and disable any features that are disabled in cross origin frames.

This is based on w3c/payment-request#698 (comment) by @clelland I am not very familiar with this spec so apologies if I made a mistake in filing this issue.
@annevk
Copy link
Member

annevk commented May 7, 2018

This should fall out of HTML integration automatically. What's the status on that?

@pabrai pabrai added the feedback label May 8, 2019
@clelland
Copy link
Collaborator

@marcoscaceres and I met today to discuss mechanisms to treat top-level documents as if they were untrusted cross-origin embeds, and have a concrete proposal to disable all (safe-to-disable) features by default, and allow individual ones to be overridden. See #189 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feedback
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@clelland @devd @annevk @pabrai