- From: Brad Hill <hillbrad@gmail.com>
- Date: Mon, 2 Jun 2014 09:13:26 -0700
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: Mike West <mike@mikewest.org>, WebAppSec WG <public-webappsec@w3.org>, Ian Hickson <ian@hixie.ch>
Sure, I understand. But I have gotten questions in the past from smart folks about whether they could, e.g. use CSP / sandboxing to control execution of script resources served from their domain when they are included by off-origin resources. On Mon, Jun 2, 2014 at 9:08 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Mon, Jun 2, 2014 at 6:04 PM, Brad Hill <hillbrad@gmail.com> wrote: >> Among "JavaScript global environment", "document environment", >> "dedicated worker environment", "shared worker >> environment", and "worker environment", where does CSP state live and >> what loads get to influence it? Maybe a table would be helpful. > > CSP is at the same level, roughly. Though there is some mixing when it > comes to nested environments. > > > -- > http://annevankesteren.nl/
Received on Monday, 2 June 2014 16:13:55 UTC