Re: Content Security Policy and iframe@sandbox from gaz Heyes on 2011-02-13 (public-web-security@w3.org from February 2011)

From: gaz Heyes <gazheyes@gmail.com>
Date: Sun, 13 Feb 2011 20:53:11 +0000
To: "sird@rckc.at" <sird@rckc.at>
Cc: Adam Barth <w3c@adambarth.com>, "Steingruebl, Andy" <asteingruebl@paypal-inc.com>, "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <AANLkTikX__MnPvZGrrSQq6puUOKx0Ex0=9tCBfTcM6ih@mail.gmail.com>

On 13 February 2011 12:23, sird@rckc.at <sird@rckc.at> wrote:

> I don't think an attribute called policy is the best solution, but I think
> something in that direction (being able to specify a CSP from an iframe)
> would solve that problem.
>

Nope defo not an attribute policy, an attacker could use this to their
advantage

Received on Sunday, 13 February 2011 20:53:43 UTC