- From: Brandon Sterne <bsterne@mozilla.com>
- Date: Thu, 21 Apr 2011 08:38:10 -0700
- To: Adam Barth <w3c@adambarth.com>
- CC: public-web-security@w3.org
This sounds reasonable to me. If there aren't objections I'll make this change as well to the spec. -Brandon On 4/20/11 11:36 AM, Adam Barth wrote: > I haven't heard back for two weeks, so what I've implemented is that > the parent frame's CSP policy always controls which URLs can be loaded > in the frame, regardless of who performs the navigation. We should > clarify the spec regardless of what we decide is best. > > Thanks, > Adam > > > On Thu, Apr 7, 2011 at 4:47 PM, Adam Barth <w3c@adambarth.com> wrote: >> Suppose I have the following CSP policy: >> >> frame-src http://example.com >> >> Now, I have the following HTML in my page: >> >> <iframe src="http://example.com/foo.html"></iframe> >> >> Where foo.html is the following: >> >> <a href="http://mozilla.org/">Mozilla</a> >> >> What happens when the user clicks that hyperlink? In particular, does >> the frame-src directive stop the frame from being navigated >> altogether, or does it only affect loads caused by the page with the >> policy? >> >> Adam >> >
Received on Thursday, 21 April 2011 15:38:40 UTC