W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: [CSP] kill or delay child-src?

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 1 Sep 2014 11:04:39 +0200
Message-ID: <CADnb78jJKxLKJr3=--g4VHrJiZ4WkUmiB3gLB3081ghHV11f0Q@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Aug 27, 2014 at 9:49 AM, Daniel Veditz <dveditz@mozilla.com> wrote:
> If we keep child-src then the spec needs to say what happens during
> frame loads if a policy specifies both child-src and frame-src (and they
> aren't identical).

It does no? It defers to frame-src for frame loads. Which says that
frame-src is used if present, and otherwise child sources are used.
Seems pretty explicit from
https://w3c.github.io/webappsec/specs/content-security-policy/#frame-src


-- 
http://annevankesteren.nl/
Received on Monday, 1 September 2014 09:05:17 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC