- From: Adam Barth <w3c@adambarth.com>
- Date: Fri, 29 Jun 2012 10:03:46 -0700
- To: Mattias Karlsson <enkidude@gmail.com>
- Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, public-webappsec@w3.org
On Fri, Jun 29, 2012 at 4:56 AM, Mattias Karlsson <enkidude@gmail.com> wrote: > On Sun, Jun 24, 2012 at 11:10 PM, Bjoern Hoehrmann <derhoermi@gmx.net> > wrote: >> >> * Mattias Karlsson wrote: >> >I noticed that the CSP specification does not mention anything about the >> >iframe srcdoc attribute. It's not obvious to me whether the CSP policy of >> >the containing page should be enforced on the content of an iframe with a >> >srcdoc attribute or if it should be treated like a normal iframe with >> > only >> >a src attribute. Should this be clarified in the specification or can the >> >correct behavior be derived anyway? >> >> http://lists.w3.org/Archives/Public/public-whatwg-archive/2012May/0100.html > > That proposal sounds reasonable to me. Any reason why it hasn't made it to > the specification? I plan to add it to 1.1, but we're still wrapping up 1.0. WebKit is the only engine that implement srcdoc, so there isn't much of a rush. Adam
Received on Friday, 29 June 2012 17:04:53 UTC