W3C home > Mailing lists > Public > public-web-security@w3.org > July 2011

Re: [CSP] is frame-src a load-time restriction or permanent jail?

From: Brandon Sterne <bsterne@mozilla.com>
Date: Fri, 01 Jul 2011 09:17:12 -0700
Message-ID: <4E0DF308.6080005@mozilla.com>
To: Adam Barth <w3c@adambarth.com>
CC: Daniel Veditz <dveditz@mozilla.com>, public-web-security <public-web-security@w3.org>
I have a note-to-self to update the spec with this language, but I
haven't gotten around to it yet.  I'll make that change soon.

-Brandon


On 06/30/2011 11:26 PM, Adam Barth wrote:
> That's what I implemented in WebKit as well.
>
> Adam
>
>
> On Thu, Jun 30, 2011 at 11:14 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
>> Should the CSP frame-src directive only restrict the initial load of
>> frame content (including redirects) or should it function as an
>> iframe "jail"? The spec talks about loading the iframe content but
>> doesn't say anything about what happens if the framed content
>> navigates after that.
>>
>> The Mozilla implementation is a "jail": navigation within the frame
>> can only be to a URL permitted by the parent's frame-src directive.
>> We believe the stricter interpretation is safer than enforcing the
>> directive only on the initial load and any redirects.
>>
>> -Dan Veditz
>>
>>
Received on Friday, 1 July 2011 16:17:26 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 1 July 2011 16:17:26 GMT