[whatwg] <iframe srcdoc> and Content-Security-Policy
Ian Hickson
ian at hixie.ch
Fri Jun 22 16:22:20 PDT 2012
On Fri, 22 Jun 2012, Adam Barth wrote:
> >>
> >> When creating a srcdoc document, in the same way that we copy the
> >> parent document's origin onto the child document, we should:
> >>
> >> 1) /enforce/, on the srcdoc document, all CSP policies currently being
> >> enforced on the parent document.
> >> 2) /monitor/, on the srcdoc document, all CSP policies currently being
> >> monitored on the parent document.
> >
> > [...] why is srcdoc="" special here?
>
> It's special because it's a way of specifying a resource other than
> providing a URI for that resource. If you like, we could consider this
> an "inline" resource and block it unless the policy contains
> 'unsafe-inline', but that seems less useful that just inheriting the CSP
> policy the same way we inherit the parent document's origin and title.
Fair enough.
I think this belongs in the CSP spec, though.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list