- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Tue, 26 Jul 2011 13:26:59 -0400
- To: "Hill, Brad" <bhill@paypal-inc.com>
- CC: "public-web-security@w3.org" <public-web-security@w3.org>
On 7/26/11 1:21 PM, Hill, Brad wrote: >> Again, the context here is that HTTP content is framing HTTPS content at the same host >> and the latter wants to use 'self' in allow-frames to allow the framing. _That_ is what I >> would like to understand use cases for. > > That's not how I understood it. I think the request was that "self", in the context of CSP for an HTTP resource, also implicitly include HTTPS of the same origin. That was sort of the request, yes. > In the context of IFRAMEs this is about loading the framed content from HTTPS; it is not about the HTTPS resource's declarations of who might have permission to frame it. The precise quote was: The problem is that if you use, for instance, "frame-src 'self'" to ensure that your pages cannot be framed in another site, I hadn't realized when I read that that the part starting "to ensure" was just completely unrelated to the actual CSP directive used. I can see the argument for allowing linking to an https frame on the same server, I guess. It still feels like something more likely to be used to feel good about security than to actually be secure, but I take your point about incremental movement to https. -Boris
Received on Tuesday, 26 July 2011 17:27:28 UTC