- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 9 Nov 2011 23:51:39 +0000 (UTC)
- To: Adam Barth <w3c@adambarth.com>
- cc: public-web-security@w3.org, Jacob Rossi <jrossi@microsoft.com>
On Fri, 4 Nov 2011, Adam Barth wrote: > > 2) Refuse to load documents with a CSP sandbox directive in the main > frame. Site can, of course, continue to load them in subframes. We > could then apply the sandbox policy to the iframe and all future > documents that load in that frame. There's no "poisoning" issues as > above because navigating the main frame clears out the policy. > > Of these choices, I favor (2) because I think the main use case for this > feature is for documents intended to be loaded in subframes rather than > documents loaded in the main frame. When would it be preferable to do this rather than just using sandbox="" on the <iframe>? -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 9 November 2011 23:52:12 UTC