W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2012

Re: CSP and iframe srcdoc attribute

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Sun, 24 Jun 2012 23:10:45 +0200
To: Mattias Karlsson <enkidude@gmail.com>
Cc: public-webappsec@w3.org
Message-ID: <ph0fu75dvheb80d53ef0d1ep98m3nnnqni@hive.bjoern.hoehrmann.de>
* Mattias Karlsson wrote:
>I noticed that the CSP specification does not mention anything about the
>iframe srcdoc attribute. It's not obvious to me whether the CSP policy of
>the containing page should be enforced on the content of an iframe with a
>srcdoc attribute or if it should be treated like a normal iframe with only
>a src attribute. Should this be clarified in the specification or can the
>correct behavior be derived anyway?

Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Sunday, 24 June 2012 21:11:09 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:53:58 UTC