W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

Re: ACTION-115: Proposal for handling srcdoc

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Tue, 30 Apr 2013 00:07:19 -0700
Message-ID: <CAPfop_1LZ+kKxEW1W9mnn_5o9R-P1VgmBcCk5kbGXs9eqwSzvg@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
The current wording seems to require that the parent's CSP policy is
enforced on the iframe even if the iframe is sandboxed (w/o
allow-same-origin). I think it is better that a sandboxed iframe not
inheriting the privileges of the parent also not inherit the CSP
policy.

--dev


On 29 April 2013 22:29, Adam Barth <w3c@adambarth.com> wrote:
> ACTION-115 asks me to make a proposal for handling the interaction
> between CSP and srcdoc.  I've made a first pass at speccing the
> interaction in this change:
>
> https://dvcs.w3.org/hg/content-security-policy/rev/edce1a90a0c4
>
> Please let me know if you have any comments.
>
> ACTION-115 also asks me to make a proposal for handling the
> interaction between CSP and blob URLs.  I don't believe we need to
> change anything about the spec to handle this interaction.  Please let
> me know if you think there's something we need to add to handle this
> interaction.
>
> Adam
>
Received on Tuesday, 30 April 2013 07:08:05 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC