Re: CSP and iframe srcdoc attribute from Mattias Karlsson on 2012-06-29 (public-webappsec@w3.org from June 2012)

From: Mattias Karlsson <enkidude@gmail.com>
Date: Fri, 29 Jun 2012 13:56:59 +0200
To: Bjoern Hoehrmann <derhoermi@gmx.net>
Cc: public-webappsec@w3.org
Message-ID: <CAGVjpGWP+ztS5NbkPGPK3H6Esu0ExAKFfNFQ4Zf5+uYwt8RCsg@mail.gmail.com>

On Sun, Jun 24, 2012 at 11:10 PM, Bjoern Hoehrmann <derhoermi@gmx.net>wrote:

> * Mattias Karlsson wrote:
> >I noticed that the CSP specification does not mention anything about the
> >iframe srcdoc attribute. It's not obvious to me whether the CSP policy of
> >the containing page should be enforced on the content of an iframe with a
> >srcdoc attribute or if it should be treated like a normal iframe with only
> >a src attribute. Should this be clarified in the specification or can the
> >correct behavior be derived anyway?
>
> http://lists.w3.org/Archives/Public/public-whatwg-archive/2012May/0100.html


That proposal sounds reasonable to me. Any reason why it hasn't made it to
the specification?

/ Mattias

Received on Friday, 29 June 2012 11:57:26 UTC