W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2012

Re: correct CSP frame-src value for a scripted iframe src?

From: Tanvi Vyas <tanvi@mozilla.com>
Date: Fri, 04 May 2012 16:11:37 -0700
Message-ID: <4FA46229.2040604@mozilla.com>
To: Ingo Chao <ichaocssd@googlemail.com>
CC: public-webappsec@w3.org
Disregard.  I see Adam has already responded:

On 5/2/12 9:41 AM, Adam Barth wrote:
> On Tue, May 1, 2012 at 1:19 PM, Ingo Chao<ichaocssd@googlemail.com>  wrote:
>> A html file contains
>> <iframe src="javascript:''"></iframe>
>>
>> Chrome logs:
>> "[Report Only] Refused to load frame from 'about:blank' because of
>> Content-Security-Policy."
>>
>> What would be the correct frame-src value that allows it?
> You're running into a bug in WebKit's implementation:
>
> https://bugs.webkit.org/show_bug.cgi?id=85233
>
> It's not sensible to block about:blank documents because you get a
> blank document when a URL is blocked.  :)
>
> I'll fix it soon.  Thanks!
>
> Adam
>



On 5/4/12 12:35 PM, Tanvi Vyas wrote:
> What does your Content Security Policy header look like?  You may need 
> to allow unsafe-inline for the javascript:... to work.
>
> On 4/30/12 6:43 AM, Ingo Chao wrote:
>> A html file contains
>> <iframe src="javascript:''"></iframe>
>>
>> Chrome logs:
>> "[Report Only] Refused to load frame from 'about:blank' because of
>> Content-Security-Policy."
>>
>> What would be the correct frame-src value that allows it?
>>
>> Thanks,
>> Ingo Chao
>>
>>
>
>
Received on Friday, 4 May 2012 23:12:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 4 May 2012 23:12:08 GMT