W3C home > Mailing lists > Public > public-web-security@w3.org > July 2011

Re: [CSP] is frame-src a load-time restriction or permanent jail?

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 30 Jun 2011 23:26:36 -0700
Message-ID: <BANLkTikH=hqyQu4dO3KfyveoaLs+hFFvtA@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: public-web-security <public-web-security@w3.org>
That's what I implemented in WebKit as well.

Adam


On Thu, Jun 30, 2011 at 11:14 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
> Should the CSP frame-src directive only restrict the initial load of
> frame content (including redirects) or should it function as an
> iframe "jail"? The spec talks about loading the iframe content but
> doesn't say anything about what happens if the framed content
> navigates after that.
>
> The Mozilla implementation is a "jail": navigation within the frame
> can only be to a URL permitted by the parent's frame-src directive.
> We believe the stricter interpretation is safer than enforcing the
> directive only on the initial load and any redirects.
>
> -Dan Veditz
>
>
Received on Friday, 1 July 2011 06:27:54 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 1 July 2011 06:27:55 GMT