- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Tue, 30 Apr 2013 00:07:19 -0700
- To: Adam Barth <w3c@adambarth.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
The current wording seems to require that the parent's CSP policy is enforced on the iframe even if the iframe is sandboxed (w/o allow-same-origin). I think it is better that a sandboxed iframe not inheriting the privileges of the parent also not inherit the CSP policy. --dev On 29 April 2013 22:29, Adam Barth <w3c@adambarth.com> wrote: > ACTION-115 asks me to make a proposal for handling the interaction > between CSP and srcdoc. I've made a first pass at speccing the > interaction in this change: > > https://dvcs.w3.org/hg/content-security-policy/rev/edce1a90a0c4 > > Please let me know if you have any comments. > > ACTION-115 also asks me to make a proposal for handling the > interaction between CSP and blob URLs. I don't believe we need to > change anything about the spec to handle this interaction. Please let > me know if you think there's something we need to add to handle this > interaction. > > Adam >
Received on Tuesday, 30 April 2013 07:08:05 UTC