Open annevk opened 4 years ago
jakearchibald
commented
2 years ago Agreed. Putting Content-Security-Policy: sandbox on a response should protect your origin from that response. Things like cookie & clear-site-data headers shouldn't operate on the URL origin.
annevk
commented
2 years ago I could see the argument that both are set on the server, but if we ever get something like Origin Policy and that could set sandboxing, I'd kinda expect it to be taken into account, so we might as well do it here too.
jakearchibald
commented
2 years ago My use-case: I've created an endpoint that proxies content from another site, but adds an ACAO header and sets Content-Security-Policy: sandbox (replacing any previous Content-Security-Policy header).
I hoped this would make my origin safe from this resource. Maybe things can't be that simple 😄
The way the origin is currently derived completely ignores sandboxing. That seems like a bug.