frame-src and navigation from Adam Barth on 2011-04-07 (public-web-security@w3.org from April 2011)

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 7 Apr 2011 16:47:52 -0700
To: public-web-security@w3.org
Message-ID: <BANLkTinYoK_qZkj3A_Za7d3N4nrYX+Gvfw@mail.gmail.com>

Suppose I have the following CSP policy:

frame-src http://example.com

Now, I have the following HTML in my page:

<iframe src="http://example.com/foo.html"></iframe>

Where foo.html is the following:

<a href="http://mozilla.org/">Mozilla</a>

What happens when the user clicks that hyperlink?  In particular, does
the frame-src directive stop the frame from being navigated
altogether, or does it only affect loads caused by the page with the
policy?

Adam

Received on Thursday, 7 April 2011 23:48:55 UTC