Re: Content Security Policy and iframe@sandbox from sird@rckc.at on 2011-02-13 (public-web-security@w3.org from February 2011)

From: <sird@rckc.at>
Date: Sun, 13 Feb 2011 22:54:51 +0100
To: gaz Heyes <gazheyes@gmail.com>
Cc: Adam Barth <w3c@adambarth.com>, "Steingruebl, Andy" <asteingruebl@paypal-inc.com>, "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <AANLkTi=nv0A7SqdvMDvv9=PFe-yFg9LNUzpDh+xY0Ce0@mail.gmail.com>

Yeah, that's why it should be same origin.

The attacker can't do anything new if it's locked to same origin.

Greetz
-- Eduardo

On Sun, Feb 13, 2011 at 9:53 PM, gaz Heyes <gazheyes@gmail.com> wrote:

> On 13 February 2011 12:23, sird@rckc.at <sird@rckc.at> wrote:
>
>> I don't think an attribute called policy is the best solution, but I think
>> something in that direction (being able to specify a CSP from an iframe)
>> would solve that problem.
>>
>
> Nope defo not an attribute policy, an attacker could use this to their
> advantage
>

Received on Sunday, 13 February 2011 21:55:45 UTC