- From: Adam Barth <w3c@adambarth.com>
- Date: Fri, 11 Jan 2013 01:45:17 -0800
- To: Yoav Weiss <yoav@yoav.ws>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Jan 11, 2013 at 1:39 AM, Yoav Weiss <yoav@yoav.ws> wrote: > Does the CSP policies of the main HTML apply also subresources of iframes? Nope. CSP works on a per-document basis. > What happens if the iframe also has it's own CSP policy? Is it additive to > the main HTML policies? The iframe's CSP policy is enforced in the iframe. The parent document's CSP policy doesn't factor in. > Is there a difference in that aspect between different kinds of iframes? > (3rd party, sandboxed, etc) Nope. The one exception is srcdoc iframes, which do inherit their parent's CSP policy. Adam
Received on Friday, 11 January 2013 09:46:17 UTC