- From: Ian Melven <imelven@mozilla.com>
- Date: Thu, 2 May 2013 10:26:01 -0700 (PDT)
- To: Adam Barth <w3c@adambarth.com>
- Cc: public-webappsec@w3.org, Devdatta Akhawe <dev.akhawe@gmail.com>
I agree with Dev, that seems quite reasonable (and may well already be the way it works in Gecko due to our CSP implementation, although our srcdoc implementation is still in progress). thanks, ian ----- Original Message ----- From: "Adam Barth" <w3c@adambarth.com> To: "Devdatta Akhawe" <dev.akhawe@gmail.com> Cc: public-webappsec@w3.org Sent: Tuesday, April 30, 2013 12:54:47 PM Subject: Re: ACTION-115: Proposal for handling srcdoc Maybe we could make a more general statement that's not specific to srcdoc? For example, perhaps any time a document inherits the origin of another document, it should also inherit the CSP policy? That would include <iframe src="about:blank"></iframe> for example. Adam On Tue, Apr 30, 2013 at 12:07 AM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote: > The current wording seems to require that the parent's CSP policy is > enforced on the iframe even if the iframe is sandboxed (w/o > allow-same-origin). I think it is better that a sandboxed iframe not > inheriting the privileges of the parent also not inherit the CSP > policy. > > --dev > > > On 29 April 2013 22:29, Adam Barth <w3c@adambarth.com> wrote: >> ACTION-115 asks me to make a proposal for handling the interaction >> between CSP and srcdoc. I've made a first pass at speccing the >> interaction in this change: >> >> https://dvcs.w3.org/hg/content-security-policy/rev/edce1a90a0c4 >> >> Please let me know if you have any comments. >> >> ACTION-115 also asks me to make a proposal for handling the >> interaction between CSP and blob URLs. I don't believe we need to >> change anything about the spec to handle this interaction. Please let >> me know if you think there's something we need to add to handle this >> interaction. >> >> Adam >>
Received on Thursday, 2 May 2013 17:26:32 UTC