Re: [CSP] is frame-src a load-time restriction or permanent jail? from Adam Barth on 2011-07-01 (public-web-security@w3.org from July 2011)

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 30 Jun 2011 23:26:36 -0700
To: Daniel Veditz <dveditz@mozilla.com>
Cc: public-web-security <public-web-security@w3.org>
Message-ID: <BANLkTikH=hqyQu4dO3KfyveoaLs+hFFvtA@mail.gmail.com>

That's what I implemented in WebKit as well.

Adam


On Thu, Jun 30, 2011 at 11:14 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
> Should the CSP frame-src directive only restrict the initial load of
> frame content (including redirects) or should it function as an
> iframe "jail"? The spec talks about loading the iframe content but
> doesn't say anything about what happens if the framed content
> navigates after that.
>
> The Mozilla implementation is a "jail": navigation within the frame
> can only be to a URL permitted by the parent's frame-src directive.
> We believe the stricter interpretation is safer than enforcing the
> directive only on the initial load and any redirects.
>
> -Dan Veditz
>
>

Received on Friday, 1 July 2011 06:27:54 UTC