Re: CSP and iframe srcdoc attribute

On Fri, Jun 29, 2012 at 4:56 AM, Mattias Karlsson <enkidude@gmail.com> wrote:
> On Sun, Jun 24, 2012 at 11:10 PM, Bjoern Hoehrmann <derhoermi@gmx.net>
> wrote:
>>
>> * Mattias Karlsson wrote:
>> >I noticed that the CSP specification does not mention anything about the
>> >iframe srcdoc attribute. It's not obvious to me whether the CSP policy of
>> >the containing page should be enforced on the content of an iframe with a
>> >srcdoc attribute or if it should be treated like a normal iframe with
>> > only
>> >a src attribute. Should this be clarified in the specification or can the
>> >correct behavior be derived anyway?
>>
>> http://lists.w3.org/Archives/Public/public-whatwg-archive/2012May/0100.html
>
> That proposal sounds reasonable to me. Any reason why it hasn't made it to
> the specification?

I plan to add it to 1.1, but we're still wrapping up 1.0.  WebKit is
the only engine that implement srcdoc, so there isn't much of a rush.

Adam

Received on Friday, 29 June 2012 17:04:53 UTC