W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2012

Re: correct CSP frame-src value for a scripted iframe src?

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 2 May 2012 09:41:03 -0700
Message-ID: <CAJE5ia8vD8KHT6WVT7QBo4iLyYPwL=3erBCzkL6dyLgN97HqCQ@mail.gmail.com>
To: Ingo Chao <ichaocssd@googlemail.com>
Cc: public-webappsec@w3.org
On Tue, May 1, 2012 at 1:19 PM, Ingo Chao <ichaocssd@googlemail.com> wrote:
> A html file contains
> <iframe src="javascript:''"></iframe>
>
> Chrome logs:
> "[Report Only] Refused to load frame from 'about:blank' because of
> Content-Security-Policy."
>
> What would be the correct frame-src value that allows it?

You're running into a bug in WebKit's implementation:

https://bugs.webkit.org/show_bug.cgi?id=85233

It's not sensible to block about:blank documents because you get a
blank document when a URL is blocked.  :)

I'll fix it soon.  Thanks!

Adam
Received on Wednesday, 2 May 2012 16:42:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 2 May 2012 16:42:09 GMT