ggaren at apple.com
Sun Mar 17 20:56:50 PDT 2013
> Unfortunately, you can't implement CSP that way.
> Consider the case of
> two same-origin iframes A and B. Suppose A has a restrictive CSP
> policy (say that bans everything) and B doesn't. If B uses the DOM to
> insert a script element into A, then CSP should block that script
> element from executing. Stripping script tags at parse time won't.
FWIW, I interpreted the phrases "enforcing a directive prevents the protected resource from performing certain actions" and "Enforcing a CSP policy should not interfere with the operation of user-supplied scripts" as indicating that CSP applied to the resource as loaded from its origin only, and not to other scripts operating on the resulting DOM.
More information about the webkit-dev