W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2016

Re: On the Content Security Policy Violations due to Same Origin Policy

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 15 Nov 2016 09:58:35 -0800
Message-ID: <CADYDTCAoM0mUOkdDmPTjuJzwZ7zhfxYJANxQwhXK+Ta-1ns6WA@mail.gmail.com>
To: Dolière Francis SOME <doliere.some@inria.fr>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Brad Hill <hillbrad@fb.com>, Nataliia Bielova <nataliia.bielova@inria.fr>, Tamara Rezk <tamara.rezk@inria.fr>
On Tue, Nov 15, 2016 at 2:52 AM, Dolière Francis SOME <doliere.some@inria.fr
> wrote:

> We have reported
> ​ ​
> this issue to Mozilla (bug number 1305076) since we thought it’s a bug in
> their implementation.
>

​It's a bug in our implementation.


> Do you think that CSP should still apply to sandboxed srcdoc iframes
> without “allow-same-origin”?
>

​Yes.
​

-
​Dan Veditz​
Received on Tuesday, 15 November 2016 17:59:09 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:21 UTC