You did raise it; it's on my list of things to look at, as the impact wasn't clear to me. I'll poke at that other thread. It's not clear to me that `frame-ancestors` should operate on origins, however: otherwise things like sandboxed frames become very complicated (for instance: we'd need syntax for allowing framing from a unique origin). -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Thu, Jul 3, 2014 at 8:13 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Thu, Jul 3, 2014 at 8:06 AM, Mike West <mkwst@google.com> wrote: > > Blob, on the other hand, only matches if the `blob:` scheme is > whitelisted > > (see > > > https://w3c.github.io/webappsec/specs/content-security-policy/#source-list-guid-matching > ). > > Hmm again (I think I raised this at least), we are changing the way > blob URLs work. They will have an origin. See > http://url.spec.whatwg.org/#concept-url-origin > > > -- > http://annevankesteren.nl/ >
Received on Thursday, 3 July 2014 06:17:34 UTC