- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Thu, 31 Mar 2016 17:05:18 -0700
- To: Francois Marier <francois@mozilla.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Friday, 1 April 2016 00:05:48 UTC
I don't remember the rationale behind form-action without looking it up but I suspect it was rather more the fact that default-src doesn't block navigations. Submitting forms is more like navigating than loading resources into a document. Breakage definitely was not the rationale behind frame-ancestors. That directive describes the embedding context (like the sandbox directive) and has nothing to do with resources loaded by that document. So far we've worked to give directives "-src" names if they're going to be controlled by default-src. -Dan Veditz
Received on Friday, 1 April 2016 00:05:48 UTC