W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2013

Re: CSP & iframe subresources

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 11 Jan 2013 01:45:17 -0800
Message-ID: <CAJE5ia_kU8EDaWsoEorW1Dmq3PPG1jeaXowC6vbDJEFAH=dk9w@mail.gmail.com>
To: Yoav Weiss <yoav@yoav.ws>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Jan 11, 2013 at 1:39 AM, Yoav Weiss <yoav@yoav.ws> wrote:
> Does the CSP policies of the main HTML apply also subresources of iframes?

Nope.  CSP works on a per-document basis.

> What happens if the iframe also has it's own CSP policy? Is it additive to
> the main HTML policies?

The iframe's CSP policy is enforced in the iframe.  The parent
document's CSP policy doesn't factor in.

> Is there a difference in that aspect between different kinds of iframes?
> (3rd party, sandboxed, etc)

Nope.  The one exception is srcdoc iframes, which do inherit their
parent's CSP policy.

Adam
Received on Friday, 11 January 2013 09:46:17 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 11 January 2013 09:46:17 GMT