W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2012

Re: [whatwg] <iframe srcdoc> and Content-Security-Policy

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 22 Jun 2012 16:24:18 -0700
Message-ID: <CAJE5ia-cd3NbEwDevuoHap9-0teFR_8NuMo37-2uXG+4N097CA@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: whatwg <whatwg@lists.whatwg.org>
On Fri, Jun 22, 2012 at 4:22 PM, Ian Hickson <ian@hixie.ch> wrote:
> On Fri, 22 Jun 2012, Adam Barth wrote:
>> >>
>> >> When creating a srcdoc document, in the same way that we copy the
>> >> parent document's origin onto the child document, we should:
>> >>
>> >> 1) /enforce/, on the srcdoc document, all CSP policies currently being
>> >> enforced on the parent document.
>> >> 2) /monitor/, on the srcdoc document, all CSP policies currently being
>> >> monitored on the parent document.
>> >
>> > [...] why is srcdoc="" special here?
>>
>> It's special because it's a way of specifying a resource other than
>> providing a URI for that resource.  If you like, we could consider this
>> an "inline" resource and block it unless the policy contains
>> 'unsafe-inline', but that seems less useful that just inheriting the CSP
>> policy the same way we inherit the parent document's origin and title.
>
> Fair enough.
>
> I think this belongs in the CSP spec, though.

Ok.  Thanks.

Adam
Received on Friday, 22 June 2012 23:25:20 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:43 UTC