ISSUE-15: How to handle srcdoc, blob:, di: and ways of directly creating content
SRCDOC, BLOB, ETC
How to handle srcdoc, blob:, di: and ways of directly creating content
- State:
- CLOSED
- Product:
- CSP Level 2
- Raised by:
- Brad Hill
- Opened on:
- 2012-07-03
- Description:
- http://lists.w3.org/Archives/Public/public-whatwg-archive/2012May/0100.html
How to handle "inline" content either by attribute or URI schemes that specify content or origin-ambigious pointers to content needs to be documented. This may provide a way for injected content to add unauthorized content if such content does not inherit the parent's CSP policies, for example. - Related Actions Items:
- ACTION-115 on Adam Barth to Make proposal on handling of srcdoc, blob, etc. (ISSUE-15) - due 2013-05-07, pending review
- Related emails:
- No related emails
Related notes:
Re-raise for 1.1 as these features are not currently widely implemented.
srcdoc is different because it has no URI
Re-opened for CSP 1.1
Brad Hill, 15 Jan 2013, 17:46:17[bhill]: http://www.w3.org/2011/webappsec/track/issues/15
29 Jan 2013, 22:09:11* srcdoc inherits parent's policy.
* blob, filesystem, etc. must be explicitly whitelisted in *-src.
Display change log