Re: ACTION-115: Proposal for handling srcdoc

Maybe we could make a more general statement that's not specific to
srcdoc?  For example, perhaps any time a document inherits the origin
of another document, it should also inherit the CSP policy?  That
would include <iframe src="about:blank"></iframe> for example.

Adam


On Tue, Apr 30, 2013 at 12:07 AM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
> The current wording seems to require that the parent's CSP policy is
> enforced on the iframe even if the iframe is sandboxed (w/o
> allow-same-origin). I think it is better that a sandboxed iframe not
> inheriting the privileges of the parent also not inherit the CSP
> policy.
>
> --dev
>
>
> On 29 April 2013 22:29, Adam Barth <w3c@adambarth.com> wrote:
>> ACTION-115 asks me to make a proposal for handling the interaction
>> between CSP and srcdoc.  I've made a first pass at speccing the
>> interaction in this change:
>>
>> https://dvcs.w3.org/hg/content-security-policy/rev/edce1a90a0c4
>>
>> Please let me know if you have any comments.
>>
>> ACTION-115 also asks me to make a proposal for handling the
>> interaction between CSP and blob URLs.  I don't believe we need to
>> change anything about the spec to handle this interaction.  Please let
>> me know if you think there's something we need to add to handle this
>> interaction.
>>
>> Adam
>>

Received on Tuesday, 30 April 2013 19:55:46 UTC