- From: Ian Hickson <ian@hixie.ch>
- Date: Fri, 22 Jun 2012 23:22:20 +0000 (UTC)
- To: Adam Barth <w3c@adambarth.com>
- Cc: whatwg <whatwg@lists.whatwg.org>
On Fri, 22 Jun 2012, Adam Barth wrote: > >> > >> When creating a srcdoc document, in the same way that we copy the > >> parent document's origin onto the child document, we should: > >> > >> 1) /enforce/, on the srcdoc document, all CSP policies currently being > >> enforced on the parent document. > >> 2) /monitor/, on the srcdoc document, all CSP policies currently being > >> monitored on the parent document. > > > > [...] why is srcdoc="" special here? > > It's special because it's a way of specifying a resource other than > providing a URI for that resource. If you like, we could consider this > an "inline" resource and block it unless the policy contains > 'unsafe-inline', but that seems less useful that just inheriting the CSP > policy the same way we inherit the parent document's origin and title. Fair enough. I think this belongs in the CSP spec, though. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 22 June 2012 23:23:28 UTC