- From: Tanvi Vyas <tanvi@mozilla.com>
- Date: Fri, 04 May 2012 16:11:37 -0700
- To: Ingo Chao <ichaocssd@googlemail.com>
- CC: public-webappsec@w3.org
Disregard. I see Adam has already responded: On 5/2/12 9:41 AM, Adam Barth wrote: > On Tue, May 1, 2012 at 1:19 PM, Ingo Chao<ichaocssd@googlemail.com> wrote: >> A html file contains >> <iframe src="javascript:''"></iframe> >> >> Chrome logs: >> "[Report Only] Refused to load frame from 'about:blank' because of >> Content-Security-Policy." >> >> What would be the correct frame-src value that allows it? > You're running into a bug in WebKit's implementation: > > https://bugs.webkit.org/show_bug.cgi?id=85233 > > It's not sensible to block about:blank documents because you get a > blank document when a URL is blocked. :) > > I'll fix it soon. Thanks! > > Adam > On 5/4/12 12:35 PM, Tanvi Vyas wrote: > What does your Content Security Policy header look like? You may need > to allow unsafe-inline for the javascript:... to work. > > On 4/30/12 6:43 AM, Ingo Chao wrote: >> A html file contains >> <iframe src="javascript:''"></iframe> >> >> Chrome logs: >> "[Report Only] Refused to load frame from 'about:blank' because of >> Content-Security-Policy." >> >> What would be the correct frame-src value that allows it? >> >> Thanks, >> Ingo Chao >> >> > >
Received on Friday, 4 May 2012 23:12:07 UTC