- From: Alex Russell <notifications@github.com>
- Date: Wed, 11 Nov 2015 13:08:12 -0800
- To: w3ctag/spec-reviews <spec-reviews@noreply.github.com>
Received on Wednesday, 11 November 2015 21:08:41 UTC
I think there's a couple of things we can contribute. At a first pass, it seems out of scope to make a hard-and-fast decision about _if_ this should be enabled for sub-documents, but perhaps _how_ this can be enabled. Options include the `sandbox` attribute for iframes: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe Adding an option and denying by default might be reasonable. An open question for us in the TAG is the extent to which we should try to recommend a pattern for new powerful features as they relate to iframes. Consistency here seems desirable (and like it's on us to figure out). Separately, I think we should discuss with @mikewest and the WebAppSec gang how we might think about a similar process for getting new features flagged for control by CSP. --- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/spec-reviews/issues/90#issuecomment-155911165
Received on Wednesday, 11 November 2015 21:08:41 UTC