W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

Re: ACTION-115: Proposal for handling srcdoc

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 30 Apr 2013 12:54:47 -0700
Message-ID: <CAJE5ia-LxB34NmV8dA2-C2PUW0y9vSi8+PtV47QosG3e8hzriQ@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Maybe we could make a more general statement that's not specific to
srcdoc?  For example, perhaps any time a document inherits the origin
of another document, it should also inherit the CSP policy?  That
would include <iframe src="about:blank"></iframe> for example.

Adam


On Tue, Apr 30, 2013 at 12:07 AM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
> The current wording seems to require that the parent's CSP policy is
> enforced on the iframe even if the iframe is sandboxed (w/o
> allow-same-origin). I think it is better that a sandboxed iframe not
> inheriting the privileges of the parent also not inherit the CSP
> policy.
>
> --dev
>
>
> On 29 April 2013 22:29, Adam Barth <w3c@adambarth.com> wrote:
>> ACTION-115 asks me to make a proposal for handling the interaction
>> between CSP and srcdoc.  I've made a first pass at speccing the
>> interaction in this change:
>>
>> https://dvcs.w3.org/hg/content-security-policy/rev/edce1a90a0c4
>>
>> Please let me know if you have any comments.
>>
>> ACTION-115 also asks me to make a proposal for handling the
>> interaction between CSP and blob URLs.  I don't believe we need to
>> change anything about the spec to handle this interaction.  Please let
>> me know if you think there's something we need to add to handle this
>> interaction.
>>
>> Adam
>>
Received on Tuesday, 30 April 2013 19:55:46 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC