Re: On the Content Security Policy Violations due to Same Origin Policy from Daniel Veditz on 2016-11-15 (public-webappsec@w3.org from November 2016)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 15 Nov 2016 09:58:35 -0800
To: Dolière Francis SOME <doliere.some@inria.fr>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Brad Hill <hillbrad@fb.com>, Nataliia Bielova <nataliia.bielova@inria.fr>, Tamara Rezk <tamara.rezk@inria.fr>
Message-ID: <CADYDTCAoM0mUOkdDmPTjuJzwZ7zhfxYJANxQwhXK+Ta-1ns6WA@mail.gmail.com>

On Tue, Nov 15, 2016 at 2:52 AM, Dolière Francis SOME <doliere.some@inria.fr
> wrote:

> We have reported
>  
> this issue to Mozilla (bug number 1305076) since we thought it’s a bug in
> their implementation.
>

It's a bug in our implementation.


> Do you think that CSP should still apply to sandboxed srcdoc iframes
> without “allow-same-origin”?
>

Yes.


-
Dan Veditz

Received on Tuesday, 15 November 2016 17:59:09 UTC