W3C home > Mailing lists > Public > public-web-security@w3.org > July 2011

Re: Using CSP

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Tue, 26 Jul 2011 13:07:15 -0400
Message-ID: <4E2EF443.9@mit.edu>
To: "Hill, Brad" <bhill@paypal-inc.com>
CC: "public-web-security@w3.org" <public-web-security@w3.org>
On 7/26/11 12:58 PM, Hill, Brad wrote:
> The threat is that the secure content will be spoofed, but there are plenty of common use cases for this, where the content of the HTTPS iframe has a very low risk of spoofing.  For example, a personalized "Like", "+1", or "Pay" button.

OK, I'm with you so far.

> These buttons likely originate at an HTTPS only site, but are commonly embedded in HTTP content.

In this situation, using the 'self' CSP directive in the button would 
make it not embeddable even if the content were HTTPS, since presumably 
the content is on a different server.

Again, the context here is that HTTP content is framing HTTPS content at 
the same host and the latter wants to use 'self' in allow-frames to 
allow the framing.  _That_ is what I would like to understand use cases for.

-Boris
Received on Tuesday, 26 July 2011 17:07:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 26 July 2011 17:07:43 GMT