- From: Adam Barth <w3c@adambarth.com>
- Date: Tue, 6 Dec 2011 15:01:03 -0800
- To: public-webappsec@w3.org
On the call today, we discussed http://www.w3.org/2011/webappsec/track/issues/8. Specifically, whether the following markup should be controlled by the frame-src or the object-src directive: <object data="http://www.yahoo.com/"></object> The question boils down to whether we're thinking about directives syntactically or semantically. Syntactically, the Yahoo home page is being loaded by the object tag, so it should be controlled by the object-src directive. Semantically, the Yahoo home page is being displayed in a frame, so it should be controlled by the frame-src directive. Jacob Rossi and Brandon Sterne both argued for the syntactic approach as being consistent with the other directives and better aligned with their implementations. I tested WebKit just now, and it seems to implement the semantic approach. The current plan is to adopt the syntactic approach, making <object> always controlled by object-src regardless of whether it's used to display a plug-in or a frame. If you have any feedback on this topic, please feel encouraged to respond to this email. Thanks, Adam
Received on Tuesday, 6 December 2011 23:02:06 UTC