W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2012

CSP and iframe srcdoc attribute

From: Mattias Karlsson <enkidude@gmail.com>
Date: Sun, 24 Jun 2012 12:06:57 +0200
Message-ID: <CAGVjpGXjywRQVaQe7X9+JFumvuOxM4WbunB-Fvk86nJ=7ctK+Q@mail.gmail.com>
To: public-webappsec@w3.org
I noticed that the CSP specification does not mention anything about the
iframe srcdoc attribute. It's not obvious to me whether the CSP policy of
the containing page should be enforced on the content of an iframe with a
srcdoc attribute or if it should be treated like a normal iframe with only
a src attribute. Should this be clarified in the specification or can the
correct behavior be derived anyway?

/ Mattias
Received on Sunday, 24 June 2012 20:23:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 24 June 2012 20:23:54 GMT