- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Wed, 17 Jul 2013 15:24:12 -0400
- To: public-webappsec@w3.org
On 7/17/13 2:50 PM, Anne van Kesteren wrote: >>> How is this not frame-src? Or is this about top-level? What's the >>> scenario there? >> >> The scenario is injection causing automagical top-level navigation. That's >> why `script-src 'unsafe-inline'` seems like a quasi-decent fit, and why >> `frame-src` doesn't seem relevant enough. *shrug* > > I meant the attack scenario. If it's a top-level navigation there's no > same-origin concern. There would be if it happened inside an <iframe>. I'm not sure I follow the toplevel-vs-iframe distinction here. Why is there no same-origin concern with toplevel navigation? Or are we assuming things like no ability to window.open from inside the frame before navigating the toplevel? -Boris
Received on Wednesday, 17 July 2013 19:24:41 UTC