W3C home > Mailing lists > Public > public-web-security@w3.org > April 2011

Re: frame-src and navigation

From: Brandon Sterne <bsterne@mozilla.com>
Date: Thu, 21 Apr 2011 08:38:10 -0700
Message-ID: <4DB04F62.4010308@mozilla.com>
To: Adam Barth <w3c@adambarth.com>
CC: public-web-security@w3.org
This sounds reasonable to me.  If there aren't objections I'll make this
change as well to the spec.

-Brandon


On 4/20/11 11:36 AM, Adam Barth wrote:
> I haven't heard back for two weeks, so what I've implemented is that
> the parent frame's CSP policy always controls which URLs can be loaded
> in the frame, regardless of who performs the navigation.  We should
> clarify the spec regardless of what we decide is best.
> 
> Thanks,
> Adam
> 
> 
> On Thu, Apr 7, 2011 at 4:47 PM, Adam Barth <w3c@adambarth.com> wrote:
>> Suppose I have the following CSP policy:
>>
>> frame-src http://example.com
>>
>> Now, I have the following HTML in my page:
>>
>> <iframe src="http://example.com/foo.html"></iframe>
>>
>> Where foo.html is the following:
>>
>> <a href="http://mozilla.org/">Mozilla</a>
>>
>> What happens when the user clicks that hyperlink?  In particular, does
>> the frame-src directive stop the frame from being navigated
>> altogether, or does it only affect loads caused by the page with the
>> policy?
>>
>> Adam
>>
> 
Received on Thursday, 21 April 2011 15:38:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 21 April 2011 15:38:40 GMT