Consider integrity enforcement of iframe #21
2 participants
How would this work with navigation of the contents? Or even the initial creation of <iframe> which will always load about:blank.
shekyan
commented
Dec 15, 2015
It shouldn't. The way I see it is that integrity is checked for primary resource loaded with response code 2xx. (browsers can be helpful there and show supported digests of the content in "view source" tab). Once navigated away - let it load whatever. Integrity can also be checked if initial load is from data:, file:, filesystem:.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I can see enforcing integrity of iframe source can be useful when dealing with non-trusted origins.