ISSUE-15: How to handle srcdoc, blob:, di: and ways of directly creating content

SRCDOC, BLOB, ETC

How to handle srcdoc, blob:, di: and ways of directly creating content

State:
CLOSED
Product:
CSP Level 2
Raised by:
Brad Hill
Opened on:
2012-07-03
Description:
http://lists.w3.org/Archives/Public/public-whatwg-archive/2012May/0100.html

How to handle "inline" content either by attribute or URI schemes that specify content or origin-ambigious pointers to content needs to be documented. This may provide a way for injected content to add unauthorized content if such content does not inherit the parent's CSP policies, for example.
Related Actions Items:
Related emails:
No related emails

Related notes:

Re-raise for 1.1 as these features are not currently widely implemented.

srcdoc is different because it has no URI

Brad Hill, 11 Sep 2012, 21:20:07

Re-opened for CSP 1.1

Brad Hill, 15 Jan 2013, 17:46:17

[bhill]: http://www.w3.org/2011/webappsec/track/issues/15

29 Jan 2013, 22:09:11

* srcdoc inherits parent's policy.
* blob, filesystem, etc. must be explicitly whitelisted in *-src.

Mike West, 10 Feb 2014, 14:47:12

Display change log ATOM feed

Daniel Veditz <dveditz@mozilla.com>, Mike West <mkwst@google.com>, Chairs, Wendy Seltzer <wseltzer@w3.org>, Samuel Weiler <weiler@w3.org>, Staff Contacts
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: 15.html,v 1.1 2020/01/17 08:52:21 carcone Exp $