Re: CSP & iframe subresources

On Fri, Jan 11, 2013 at 1:39 AM, Yoav Weiss <> wrote:
> Does the CSP policies of the main HTML apply also subresources of iframes?

Nope.  CSP works on a per-document basis.

> What happens if the iframe also has it's own CSP policy? Is it additive to
> the main HTML policies?

The iframe's CSP policy is enforced in the iframe.  The parent
document's CSP policy doesn't factor in.

> Is there a difference in that aspect between different kinds of iframes?
> (3rd party, sandboxed, etc)

Nope.  The one exception is srcdoc iframes, which do inherit their
parent's CSP policy.


Received on Friday, 11 January 2013 09:46:17 UTC