- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 1 Sep 2014 11:04:39 +0200
- To: Daniel Veditz <dveditz@mozilla.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Aug 27, 2014 at 9:49 AM, Daniel Veditz <dveditz@mozilla.com> wrote: > If we keep child-src then the spec needs to say what happens during > frame loads if a policy specifies both child-src and frame-src (and they > aren't identical). It does no? It defers to frame-src for frame loads. Which says that frame-src is used if present, and otherwise child sources are used. Seems pretty explicit from https://w3c.github.io/webappsec/specs/content-security-policy/#frame-src -- http://annevankesteren.nl/
Received on Monday, 1 September 2014 09:05:17 UTC