- From: Adam Barth <w3c@adambarth.com>
- Date: Wed, 20 Apr 2011 11:36:35 -0700
- To: public-web-security@w3.org
I haven't heard back for two weeks, so what I've implemented is that the parent frame's CSP policy always controls which URLs can be loaded in the frame, regardless of who performs the navigation. We should clarify the spec regardless of what we decide is best. Thanks, Adam On Thu, Apr 7, 2011 at 4:47 PM, Adam Barth <w3c@adambarth.com> wrote: > Suppose I have the following CSP policy: > > frame-src http://example.com > > Now, I have the following HTML in my page: > > <iframe src="http://example.com/foo.html"></iframe> > > Where foo.html is the following: > > <a href="http://mozilla.org/">Mozilla</a> > > What happens when the user clicks that hyperlink? In particular, does > the frame-src directive stop the frame from being navigated > altogether, or does it only affect loads caused by the page with the > policy? > > Adam >
Received on Wednesday, 20 April 2011 18:37:35 UTC