W3C home > Mailing lists > Public > public-web-security@w3.org > April 2011

frame-src and navigation

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 7 Apr 2011 16:47:52 -0700
Message-ID: <BANLkTinYoK_qZkj3A_Za7d3N4nrYX+Gvfw@mail.gmail.com>
To: public-web-security@w3.org
Suppose I have the following CSP policy:

frame-src http://example.com

Now, I have the following HTML in my page:

<iframe src="http://example.com/foo.html"></iframe>

Where foo.html is the following:

<a href="http://mozilla.org/">Mozilla</a>

What happens when the user clicks that hyperlink?  In particular, does
the frame-src directive stop the frame from being navigated
altogether, or does it only affect loads caused by the page with the
policy?

Adam
Received on Thursday, 7 April 2011 23:48:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 7 April 2011 23:48:55 GMT