You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We discussed that 'self' inherited to local-scheme (e.g. data URL) should be treated as local-scheme itself.
But this means that if website https://A.com wants to load data: frames and wishes to load resources inside data: frames from itself, then they need to give up with default-src 'self' and they should add default-src https://A.com.
Is this how website should implement CSP? Seems complicated.
The text was updated successfully, but these errors were encountered:
The other use case to consider is. What about a data: URI iframe that ships a meta CSP using 'self'? Unique origins don't even match itself, hence 'self' does not make any sense in that scenario.
We discussed that 'self' inherited to local-scheme (e.g. data URL) should be treated as local-scheme itself.
But this means that if website https://A.com wants to load data: frames and wishes to load resources inside data: frames from itself, then they need to give up with default-src 'self' and they should add default-src https://A.com.
Is this how website should implement CSP? Seems complicated.
The text was updated successfully, but these errors were encountered: