W3C home > Mailing lists > Public > public-web-security@w3.org > July 2011

[CSP] is frame-src a load-time restriction or permanent jail?

From: Daniel Veditz <dveditz@mozilla.com>
Date: Thu, 30 Jun 2011 23:14:38 -0700
Message-ID: <4E0D65CE.4040302@mozilla.com>
To: "public-web-security" <public-web-security@w3.org>
Should the CSP frame-src directive only restrict the initial load of
frame content (including redirects) or should it function as an
iframe "jail"? The spec talks about loading the iframe content but
doesn't say anything about what happens if the framed content
navigates after that.

The Mozilla implementation is a "jail": navigation within the frame
can only be to a URL permitted by the parent's frame-src directive.
We believe the stricter interpretation is safer than enforcing the
directive only on the initial load and any redirects.

-Dan Veditz
Received on Friday, 1 July 2011 06:15:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 1 July 2011 06:15:14 GMT