Talk:Security/CSP/Spec: Difference between revisions

Talk:Security/CSP/Spec (view source)

362 bytes added , 30 September 2009

canmove, Confirmed users

1,537

edits

@@ Line 195: / Line 195: @@
 --duryodhan
-== <tt>frame-src</tt> Consistent Across Navigation  (<span style="color:green;">OPEN</span>) ==
+== <tt>frame-src</tt> Consistent Across Navigation  (<span style="color:red;">CLOSED</span>) ==
 The frame-src restriction does not appear to take navigation into account.  Suppose example.com has a refresh.php that serves a page with a Meta Refresh (e.g., like http://www.wizards.com/leaving.asp?url=http://www.adambarth.com/ but
@@ Line 234: / Line 234: @@
 Once you XSS any page, can't you just XHR the a/c data page and get the data? Or you are saying that the A/C data page would have required the user to reenter his password ? I just think this case then becomes too contrived/obscure for CSP to take care off -- any such really sensitive page just shouldn't have a iframe from other page imho. --duryodhan
+I'm going to close this.  I'll try to make it more clear in the spec that this is the case with frame-src (it is not eternally enforced), but I think a happy compromise enforces the frame-src policy on HTTP redirects (30x) while missing refreshes/js redirects.
+Resolution: Not changed.  frame-src is enforced for HTTP redirects (30x).
+-[[User:Sidstamm|Sid]]
 == <strike>video and audio src</strike> ==