W3C home > Mailing lists > Public > public-web-security@w3.org > July 2011

Re: Using CSP

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Tue, 26 Jul 2011 13:26:59 -0400
Message-ID: <4E2EF8E3.3080100@mit.edu>
To: "Hill, Brad" <bhill@paypal-inc.com>
CC: "public-web-security@w3.org" <public-web-security@w3.org>
On 7/26/11 1:21 PM, Hill, Brad wrote:
>> Again, the context here is that HTTP content is framing HTTPS content at the same host
>> and the latter wants to use 'self' in allow-frames to allow the framing.  _That_ is what I
>> would like to understand use cases for.
>
> That's not how I understood it.  I think the request was that "self", in the context of CSP for an HTTP resource, also implicitly include HTTPS of the same origin.

That was sort of the request, yes.

> In the context of IFRAMEs this is about loading the framed content from HTTPS; it is not about the HTTPS resource's declarations of who might have permission to frame it.

The precise quote was:

   The problem is that if you use, for instance, "frame-src 'self'" to
   ensure that your pages cannot be framed in another site,

I hadn't realized when I read that that the part starting "to ensure" 
was just completely unrelated to the actual CSP directive used.

I can see the argument for allowing linking to an https frame on the 
same server, I guess.  It still feels like something more likely to be 
used to feel good about security than to actually be secure, but I take 
your point about incremental movement to https.

-Boris
Received on Tuesday, 26 July 2011 17:27:28 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 26 July 2011 17:27:28 GMT