Wilks, Dan
unread,Feb 13, 2015, 3:57:08 PM2/13/15You do not have permission to delete messages in this group
Sign in to report message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to dev-se...@lists.mozilla.org
Hi,
Sorry if this is the wrong place to ask, feel free to redirect me to a more appropriate list.
We’re applying Content-Security-Policy to our site and Firefox is applying the Content-Security-Policy of the page to the contents an iframe loaded with src attribute.
I see that the CSP2 spec indicates that iframe srcdoc must be processed using the document’s CSP but couldn’t find anything about iframes loaded from external sites.
Of course Chrome happily ignores the document’s CSP when loading the iframe contents. I was just wondering if this was expected behavior, the interpretation of an silent spec, an oversight, bug?
Many thanks