W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2013

Re: CSP & iframe subresources

From: Daniel Veditz <dveditz@mozilla.com>
Date: Mon, 14 Jan 2013 13:47:34 -0800
Message-ID: <50F47CF6.1040507@mozilla.com>
To: Adam Barth <w3c@adambarth.com>
CC: Yoav Weiss <yoav@yoav.ws>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 1/11/2013 1:45 AM, Adam Barth wrote:
>> Is there a difference in that aspect between different kinds of iframes?
>> (3rd party, sandboxed, etc)
>
> Nope.  The one exception is srcdoc iframes, which do inherit their
> parent's CSP policy.

In Firefox an iframe with a data URI as it's src inherits the origin of 
the parent document. This is historical Netscape behavior that differs 
from other browsers, but does seem to be in the HTML 5 spec last time I 
checked. Because of this, for safety we also inherit the parent frame's 
CSP if there is one.

-Dan Veditz
Received on Monday, 14 January 2013 21:48:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 14 January 2013 21:48:02 GMT