Page MenuHomePhabricator

current CSP testing policy would block frames
Closed, InvalidPublic

Description

The current csp policy we are testing doesn't specify a frame-src, hence it would default to default-src.

To determine, is this something we want? There are legit reasons to block frames, but perhaps that's not something to do right now.

Event Timeline

Bawolff created this task.Nov 8 2018, 8:37 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 8 2018, 8:37 AM
Bawolff closed this task as Invalid.Nov 8 2018, 2:36 PM

I'm confused. frame-src blocks what frames you are embedding, not where you are embedded in.