- From: Mike West <mkwst@google.com>
- Date: Thu, 18 Jul 2013 17:03:31 +0200
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Thursday, 18 July 2013 15:04:22 UTC
On Wed, Jul 17, 2013 at 8:50 PM, Anne van Kesteren <annevk@annevk.nl> wrote: > >> How is this not frame-src? Or is this about top-level? What's the > >> scenario there? > > > > The scenario is injection causing automagical top-level navigation. > That's > > why `script-src 'unsafe-inline'` seems like a quasi-decent fit, and why > > `frame-src` doesn't seem relevant enough. *shrug* > > I meant the attack scenario. If it's a top-level navigation there's no > same-origin concern. There would be if it happened inside an <iframe>. > Navigating the user to a data URL or a different domain over http > seems about the same... > As another data point, sandboxed iframes block meta refresh if automatic features aren't allowed via 'allow-script'[1]. That seems like a good argument for tying this to 'script-src'. [1]: http://www.whatwg.org/specs/web-apps/current-work/multipage/semantics.html#attr-meta-http-equiv-refresh -mike
Received on Thursday, 18 July 2013 15:04:22 UTC