W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2012

Re: CSP and iframe srcdoc attribute

From: Mattias Karlsson <enkidude@gmail.com>
Date: Fri, 29 Jun 2012 13:56:59 +0200
Message-ID: <CAGVjpGWP+ztS5NbkPGPK3H6Esu0ExAKFfNFQ4Zf5+uYwt8RCsg@mail.gmail.com>
To: Bjoern Hoehrmann <derhoermi@gmx.net>
Cc: public-webappsec@w3.org
On Sun, Jun 24, 2012 at 11:10 PM, Bjoern Hoehrmann <derhoermi@gmx.net>wrote:

> * Mattias Karlsson wrote:
> >I noticed that the CSP specification does not mention anything about the
> >iframe srcdoc attribute. It's not obvious to me whether the CSP policy of
> >the containing page should be enforced on the content of an iframe with a
> >srcdoc attribute or if it should be treated like a normal iframe with only
> >a src attribute. Should this be clarified in the specification or can the
> >correct behavior be derived anyway?
> http://lists.w3.org/Archives/Public/public-whatwg-archive/2012May/0100.html

That proposal sounds reasonable to me. Any reason why it hasn't made it to
the specification?

/ Mattias
Received on Friday, 29 June 2012 11:57:26 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:53:58 UTC