- From: Adam Barth <w3c@adambarth.com>
- Date: Tue, 30 Apr 2013 12:54:47 -0700
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Maybe we could make a more general statement that's not specific to srcdoc? For example, perhaps any time a document inherits the origin of another document, it should also inherit the CSP policy? That would include <iframe src="about:blank"></iframe> for example. Adam On Tue, Apr 30, 2013 at 12:07 AM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote: > The current wording seems to require that the parent's CSP policy is > enforced on the iframe even if the iframe is sandboxed (w/o > allow-same-origin). I think it is better that a sandboxed iframe not > inheriting the privileges of the parent also not inherit the CSP > policy. > > --dev > > > On 29 April 2013 22:29, Adam Barth <w3c@adambarth.com> wrote: >> ACTION-115 asks me to make a proposal for handling the interaction >> between CSP and srcdoc. I've made a first pass at speccing the >> interaction in this change: >> >> https://dvcs.w3.org/hg/content-security-policy/rev/edce1a90a0c4 >> >> Please let me know if you have any comments. >> >> ACTION-115 also asks me to make a proposal for handling the >> interaction between CSP and blob URLs. I don't believe we need to >> change anything about the spec to handle this interaction. Please let >> me know if you think there's something we need to add to handle this >> interaction. >> >> Adam >>
Received on Tuesday, 30 April 2013 19:55:46 UTC