W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: Content Security Policy and iframe@sandbox

From: <sird@rckc.at>
Date: Sun, 13 Feb 2011 22:54:51 +0100
Message-ID: <AANLkTi=nv0A7SqdvMDvv9=PFe-yFg9LNUzpDh+xY0Ce0@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: Adam Barth <w3c@adambarth.com>, "Steingruebl, Andy" <asteingruebl@paypal-inc.com>, "public-web-security@w3.org" <public-web-security@w3.org>
Yeah, that's why it should be same origin.

The attacker can't do anything new if it's locked to same origin.

Greetz
-- Eduardo



On Sun, Feb 13, 2011 at 9:53 PM, gaz Heyes <gazheyes@gmail.com> wrote:

> On 13 February 2011 12:23, sird@rckc.at <sird@rckc.at> wrote:
>
>> I don't think an attribute called policy is the best solution, but I think
>> something in that direction (being able to specify a CSP from an iframe)
>> would solve that problem.
>>
>
> Nope defo not an attribute policy, an attacker could use this to their
> advantage
>
Received on Sunday, 13 February 2011 21:55:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 13 February 2011 21:55:46 GMT