- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Mon, 14 Jan 2013 13:47:34 -0800
- To: Adam Barth <w3c@adambarth.com>
- CC: Yoav Weiss <yoav@yoav.ws>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 1/11/2013 1:45 AM, Adam Barth wrote: >> Is there a difference in that aspect between different kinds of iframes? >> (3rd party, sandboxed, etc) > > Nope. The one exception is srcdoc iframes, which do inherit their > parent's CSP policy. In Firefox an iframe with a data URI as it's src inherits the origin of the parent document. This is historical Netscape behavior that differs from other browsers, but does seem to be in the HTML 5 spec last time I checked. Because of this, for safety we also inherit the parent frame's CSP if there is one. -Dan Veditz
Received on Monday, 14 January 2013 21:48:01 UTC