Re: ACTION-115: Proposal for handling srcdoc

The current wording seems to require that the parent's CSP policy is
enforced on the iframe even if the iframe is sandboxed (w/o
allow-same-origin). I think it is better that a sandboxed iframe not
inheriting the privileges of the parent also not inherit the CSP
policy.

--dev


On 29 April 2013 22:29, Adam Barth <w3c@adambarth.com> wrote:
> ACTION-115 asks me to make a proposal for handling the interaction
> between CSP and srcdoc.  I've made a first pass at speccing the
> interaction in this change:
>
> https://dvcs.w3.org/hg/content-security-policy/rev/edce1a90a0c4
>
> Please let me know if you have any comments.
>
> ACTION-115 also asks me to make a proposal for handling the
> interaction between CSP and blob URLs.  I don't believe we need to
> change anything about the spec to handle this interaction.  Please let
> me know if you think there's something we need to add to handle this
> interaction.
>
> Adam
>

Received on Tuesday, 30 April 2013 07:08:05 UTC