W3C home > Mailing lists > Public > public-web-security@w3.org > April 2011

Re: frame-src and navigation

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 20 Apr 2011 11:36:35 -0700
Message-ID: <BANLkTik3ZvwAxEL6-O1HQNvVD9+1Xzvb+Q@mail.gmail.com>
To: public-web-security@w3.org
I haven't heard back for two weeks, so what I've implemented is that
the parent frame's CSP policy always controls which URLs can be loaded
in the frame, regardless of who performs the navigation.  We should
clarify the spec regardless of what we decide is best.

Thanks,
Adam


On Thu, Apr 7, 2011 at 4:47 PM, Adam Barth <w3c@adambarth.com> wrote:
> Suppose I have the following CSP policy:
>
> frame-src http://example.com
>
> Now, I have the following HTML in my page:
>
> <iframe src="http://example.com/foo.html"></iframe>
>
> Where foo.html is the following:
>
> <a href="http://mozilla.org/">Mozilla</a>
>
> What happens when the user clicks that hyperlink?  In particular, does
> the frame-src directive stop the frame from being navigated
> altogether, or does it only affect loads caused by the page with the
> policy?
>
> Adam
>
Received on Wednesday, 20 April 2011 18:37:35 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 20 April 2011 18:37:36 GMT