W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2012

Re: [whatwg] <iframe srcdoc> and Content-Security-Policy

From: Ian Hickson <ian@hixie.ch>
Date: Fri, 22 Jun 2012 23:22:20 +0000 (UTC)
To: Adam Barth <w3c@adambarth.com>
Message-ID: <Pine.LNX.4.64.1206222321330.26380@ps20323.dreamhostps.com>
Cc: whatwg <whatwg@lists.whatwg.org>
On Fri, 22 Jun 2012, Adam Barth wrote:
> >>
> >> When creating a srcdoc document, in the same way that we copy the 
> >> parent document's origin onto the child document, we should:
> >>
> >> 1) /enforce/, on the srcdoc document, all CSP policies currently being
> >> enforced on the parent document.
> >> 2) /monitor/, on the srcdoc document, all CSP policies currently being
> >> monitored on the parent document.
> >
> > [...] why is srcdoc="" special here?
> 
> It's special because it's a way of specifying a resource other than 
> providing a URI for that resource.  If you like, we could consider this 
> an "inline" resource and block it unless the policy contains 
> 'unsafe-inline', but that seems less useful that just inheriting the CSP 
> policy the same way we inherit the parent document's origin and title.

Fair enough.

I think this belongs in the CSP spec, though.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 22 June 2012 23:23:28 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:43 UTC