CSP & iframe subresources from Yoav Weiss on 2013-01-11 (public-webappsec@w3.org from January 2013)

From: Yoav Weiss <yoav@yoav.ws>
Date: Fri, 11 Jan 2013 10:39:26 +0100
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CACj=BEjASh5tsnpSLHvDcc_zMJLfCjG1_QOLF+P-7DK2ZTupaQ@mail.gmail.com>

Does the CSP policies of the main HTML apply also subresources of iframes?

What happens if the iframe also has it's own CSP policy? Is it additive to
the main HTML policies?

Is there a difference in that aspect between different kinds of iframes?
(3rd party, sandboxed, etc)

Thanks,
Yoav

Received on Friday, 11 January 2013 09:39:57 UTC