W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2012

Re: CSP and iframe srcdoc attribute

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 29 Jun 2012 10:03:46 -0700
Message-ID: <CAJE5ia-GTL8teDKEZ=ugOeT1YVV9+oPitxPS00PJAYckz9AG=A@mail.gmail.com>
To: Mattias Karlsson <enkidude@gmail.com>
Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, public-webappsec@w3.org
On Fri, Jun 29, 2012 at 4:56 AM, Mattias Karlsson <enkidude@gmail.com> wrote:
> On Sun, Jun 24, 2012 at 11:10 PM, Bjoern Hoehrmann <derhoermi@gmx.net>
> wrote:
>>
>> * Mattias Karlsson wrote:
>> >I noticed that the CSP specification does not mention anything about the
>> >iframe srcdoc attribute. It's not obvious to me whether the CSP policy of
>> >the containing page should be enforced on the content of an iframe with a
>> >srcdoc attribute or if it should be treated like a normal iframe with
>> > only
>> >a src attribute. Should this be clarified in the specification or can the
>> >correct behavior be derived anyway?
>>
>> http://lists.w3.org/Archives/Public/public-whatwg-archive/2012May/0100.html
>
> That proposal sounds reasonable to me. Any reason why it hasn't made it to
> the specification?

I plan to add it to 1.1, but we're still wrapping up 1.0.  WebKit is
the only engine that implement srcdoc, so there isn't much of a rush.

Adam
Received on Friday, 29 June 2012 17:04:53 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 29 June 2012 17:04:54 GMT