Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clear-Site-Data and sandboxing #64

Open
annevk opened this issue Jul 13, 2020 · 3 comments
Open

Clear-Site-Data and sandboxing #64

annevk opened this issue Jul 13, 2020 · 3 comments

Comments

@annevk
Copy link
Member

annevk commented Jul 13, 2020

The way the origin is currently derived completely ignores sandboxing. That seems like a bug.
@jakearchibald
Copy link

Agreed. Putting Content-Security-Policy: sandbox on a response should protect your origin from that response. Things like cookie & clear-site-data headers shouldn't operate on the URL origin.

@annevk
Copy link
Member Author

annevk commented Oct 4, 2021

I could see the argument that both are set on the server, but if we ever get something like Origin Policy and that could set sandboxing, I'd kinda expect it to be taken into account, so we might as well do it here too.

@jakearchibald
Copy link

My use-case: I've created an endpoint that proxies content from another site, but adds an ACAO header and sets Content-Security-Policy: sandbox (replacing any previous Content-Security-Policy header).

I hoped this would make my origin safe from this resource. Maybe things can't be that simple 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jakearchibald @annevk