- From: Brandon Sterne <bsterne@mozilla.com>
- Date: Wed, 19 Oct 2011 11:25:16 -0700
- To: "Michael A. Peters" <mpeters@domblogger.net>
- CC: public-web-security@w3.org
On 10/18/11 6:09 PM, Michael A. Peters wrote: > I'm not that font of the 'unsafe-inline' directive as there is no way > for a web browser to differentiate between injected script/style and > what is legitimate. Using external CSS/Script and forbidding inline > makes it for browsers to differentiate. You're preaching to the choir. Your point about using external script and CSS is fundamental to the whole CSP model. My suggestion was to add 'unsafe-inline' to the style-src directive, which does not remove restrictions on inline _script_. You asked about a particular use case and I suggested a way to support it under CSP. I'm not sure what else to tell you. > With respect to the iframe, I was under the impression the iframe had to > minimally conform to the same policy as it's parent document. I guess I > am wrong there, though that is how I would think it should be. Your understanding is wrong. A policy applies only to the top-level document. If you applied the policy to all the sub-frames, one potential bad side effect would be preventing frame-busting scripts (or other features) from loading. If a site wants to apply a CSP to the document in the sub-frames, they must serve a CSP header with the frame response. This obviously implies that they control the content there as well. While there are certain valid cases where it would be "nice" to apply a policy all the way down through a frame tree, we fundamentally cannot allow a site to impose a security policy on another site, hence the need for each document to opt-in by serving its own policy. -Brandon
Received on Wednesday, 19 October 2011 18:25:46 UTC