CSP and iframe srcdoc attribute from Mattias Karlsson on 2012-06-24 (public-webappsec@w3.org from June 2012)

From: Mattias Karlsson <enkidude@gmail.com>
Date: Sun, 24 Jun 2012 12:06:57 +0200
To: public-webappsec@w3.org
Message-ID: <CAGVjpGXjywRQVaQe7X9+JFumvuOxM4WbunB-Fvk86nJ=7ctK+Q@mail.gmail.com>

I noticed that the CSP specification does not mention anything about the
iframe srcdoc attribute. It's not obvious to me whether the CSP policy of
the containing page should be enforced on the content of an iframe with a
srcdoc attribute or if it should be treated like a normal iframe with only
a src attribute. Should this be clarified in the specification or can the
correct behavior be derived anyway?

/ Mattias

Received on Sunday, 24 June 2012 20:23:49 UTC