- From: Brandon Sterne <bsterne@mozilla.com>
- Date: Fri, 01 Jul 2011 09:17:12 -0700
- To: Adam Barth <w3c@adambarth.com>
- CC: Daniel Veditz <dveditz@mozilla.com>, public-web-security <public-web-security@w3.org>
I have a note-to-self to update the spec with this language, but I haven't gotten around to it yet. I'll make that change soon. -Brandon On 06/30/2011 11:26 PM, Adam Barth wrote: > That's what I implemented in WebKit as well. > > Adam > > > On Thu, Jun 30, 2011 at 11:14 PM, Daniel Veditz <dveditz@mozilla.com> wrote: >> Should the CSP frame-src directive only restrict the initial load of >> frame content (including redirects) or should it function as an >> iframe "jail"? The spec talks about loading the iframe content but >> doesn't say anything about what happens if the framed content >> navigates after that. >> >> The Mozilla implementation is a "jail": navigation within the frame >> can only be to a URL permitted by the parent's frame-src directive. >> We believe the stricter interpretation is safer than enforcing the >> directive only on the initial load and any redirects. >> >> -Dan Veditz >> >>
Received on Friday, 1 July 2011 16:17:26 UTC