W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2013

Re: ACTION-115: Proposal for handling srcdoc

From: Ian Melven <imelven@mozilla.com>
Date: Thu, 2 May 2013 10:26:01 -0700 (PDT)
To: Adam Barth <w3c@adambarth.com>
Cc: public-webappsec@w3.org, Devdatta Akhawe <dev.akhawe@gmail.com>
Message-ID: <710479809.14155189.1367515561533.JavaMail.root@mozilla.com>

I agree with Dev, that seems quite reasonable (and may well already be the way
it works in Gecko due to our CSP implementation, although our srcdoc
implementation is still in progress). 

thanks,
ian


----- Original Message -----
From: "Adam Barth" <w3c@adambarth.com>
To: "Devdatta Akhawe" <dev.akhawe@gmail.com>
Cc: public-webappsec@w3.org
Sent: Tuesday, April 30, 2013 12:54:47 PM
Subject: Re: ACTION-115: Proposal for handling srcdoc

Maybe we could make a more general statement that's not specific to
srcdoc?  For example, perhaps any time a document inherits the origin
of another document, it should also inherit the CSP policy?  That
would include <iframe src="about:blank"></iframe> for example.

Adam


On Tue, Apr 30, 2013 at 12:07 AM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
> The current wording seems to require that the parent's CSP policy is
> enforced on the iframe even if the iframe is sandboxed (w/o
> allow-same-origin). I think it is better that a sandboxed iframe not
> inheriting the privileges of the parent also not inherit the CSP
> policy.
>
> --dev
>
>
> On 29 April 2013 22:29, Adam Barth <w3c@adambarth.com> wrote:
>> ACTION-115 asks me to make a proposal for handling the interaction
>> between CSP and srcdoc.  I've made a first pass at speccing the
>> interaction in this change:
>>
>> https://dvcs.w3.org/hg/content-security-policy/rev/edce1a90a0c4
>>
>> Please let me know if you have any comments.
>>
>> ACTION-115 also asks me to make a proposal for handling the
>> interaction between CSP and blob URLs.  I don't believe we need to
>> change anything about the spec to handle this interaction.  Please let
>> me know if you think there's something we need to add to handle this
>> interaction.
>>
>> Adam
>>
Received on Thursday, 2 May 2013 17:26:32 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC