- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Wed, 27 Aug 2014 00:49:10 -0700
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Mozilla is not currently planning to implement section 7.2 child-src and would prefer that this feature be delayed to a later edition of the CSP spec or outright killed. Or maybe we just don't understand the usefulness of the change. Originally this was defined to unify frame-src and Workers but since then the rules for Workers have changed considerably (they need to specify their own policy header). Does it still make sense to deprecate the frame-src that existing policies are using if the child-src directive ends up covering only frames anyway? If we keep child-src then the spec needs to say what happens during frame loads if a policy specifies both child-src and frame-src (and they aren't identical). If child-src is just an alias for frame-src it should be easy to implement, but in that case seems a bit pointless. -Dan Veditz
Received on Wednesday, 27 August 2014 07:49:45 UTC