W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2012

Re: correct CSP frame-src value for a scripted iframe src?

From: Tanvi Vyas <tanvi@mozilla.com>
Date: Fri, 04 May 2012 12:35:07 -0700
Message-ID: <4FA42F6B.4010408@mozilla.com>
To: Ingo Chao <ichaocssd@googlemail.com>
CC: public-webappsec@w3.org
What does your Content Security Policy header look like?  You may need 
to allow unsafe-inline for the javascript:... to work.

On 4/30/12 6:43 AM, Ingo Chao wrote:
> A html file contains
> <iframe src="javascript:''"></iframe>
>
> Chrome logs:
> "[Report Only] Refused to load frame from 'about:blank' because of
> Content-Security-Policy."
>
> What would be the correct frame-src value that allows it?
>
> Thanks,
> Ingo Chao
>
>
Received on Friday, 4 May 2012 19:36:14 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 4 May 2012 19:36:16 GMT