Re: CSP & iframe subresources

On 1/11/2013 1:45 AM, Adam Barth wrote:
>> Is there a difference in that aspect between different kinds of iframes?
>> (3rd party, sandboxed, etc)
> Nope.  The one exception is srcdoc iframes, which do inherit their
> parent's CSP policy.

In Firefox an iframe with a data URI as it's src inherits the origin of 
the parent document. This is historical Netscape behavior that differs 
from other browsers, but does seem to be in the HTML 5 spec last time I 
checked. Because of this, for safety we also inherit the parent frame's 
CSP if there is one.

-Dan Veditz

Received on Monday, 14 January 2013 21:48:01 UTC