- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Thu, 30 Jun 2011 23:14:38 -0700
- To: "public-web-security" <public-web-security@w3.org>
Should the CSP frame-src directive only restrict the initial load of frame content (including redirects) or should it function as an iframe "jail"? The spec talks about loading the iframe content but doesn't say anything about what happens if the framed content navigates after that. The Mozilla implementation is a "jail": navigation within the frame can only be to a URL permitted by the parent's frame-src directive. We believe the stricter interpretation is safer than enforcing the directive only on the initial load and any redirects. -Dan Veditz
Received on Friday, 1 July 2011 06:15:13 UTC