On 10 January 2014 14:08, Frederik Braun <fbr...@mozilla.com> wrote:
> Yes, imagine an XSS vulnerability on example.com. Using this to include > imported.com shouldn't mean that the CSP in place (which allows > imported.com) is suddenly allowing everything that is also mentioned in > the policy of imported.com. > Sorry I don't follow. In your example, you said the CSP of imported.com was 'self' only.