- From: Adam Barth <w3c@adambarth.com>
- Date: Fri, 22 Jun 2012 16:24:18 -0700
- To: Ian Hickson <ian@hixie.ch>
- Cc: whatwg <whatwg@lists.whatwg.org>
On Fri, Jun 22, 2012 at 4:22 PM, Ian Hickson <ian@hixie.ch> wrote: > On Fri, 22 Jun 2012, Adam Barth wrote: >> >> >> >> When creating a srcdoc document, in the same way that we copy the >> >> parent document's origin onto the child document, we should: >> >> >> >> 1) /enforce/, on the srcdoc document, all CSP policies currently being >> >> enforced on the parent document. >> >> 2) /monitor/, on the srcdoc document, all CSP policies currently being >> >> monitored on the parent document. >> > >> > [...] why is srcdoc="" special here? >> >> It's special because it's a way of specifying a resource other than >> providing a URI for that resource. If you like, we could consider this >> an "inline" resource and block it unless the policy contains >> 'unsafe-inline', but that seems less useful that just inheriting the CSP >> policy the same way we inherit the parent document's origin and title. > > Fair enough. > > I think this belongs in the CSP spec, though. Ok. Thanks. Adam
Received on Friday, 22 June 2012 23:25:20 UTC