- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 24 Mar 2011 16:26:01 -0700
- To: public-web-security@w3.org
Sayeth CSP: [[ If a scheme is not specified as part of the source expression, a user-agent MUST use the same scheme as the protected document. ]] Which scheme, precisely, should we use? For example, suppose we have an about:blank document that (somehow) acquires a CSP policy. Should we use "about" as the default scheme? Suppose we have an about:blank iframe inside a document with a CSP policy. Should the document inside the iframe be bound by the CSP policy of the paper frame? (Same question for data URLs.) Recommendation: 1) We should incorporate the CSP policy for a document into the security origin state for the document, just as HTML5 does for iframe@sandbox. That means the CSP policy will inherit although with the rest of the document's security context (e.g., origin and sandbox flags). 2) We should grab the scheme from the origin of the document. If the document has a security origin that lacks a scheme (e.g., because it's been sandboxed), then we ignore source values without an explicit scheme (aka, no soup for you). Thoughts? Adam
Received on Thursday, 24 March 2011 23:27:04 UTC