W3C home > Mailing lists > Public > public-web-security@w3.org > July 2011

Re: Using CSP

From: Nick Gearls <nickgearls@gmail.com>
Date: Wed, 27 Jul 2011 12:44:13 +0200
Message-ID: <4E2FEBFD.4060102@gmail.com>
To: public-web-security@w3.org
Just to clarify: 'self' currently means same server and same protocol.
It disallows a HTTPS iframe in a HTTP page (good from a security point 
of view).
It disallows a HTTP iframe in a HTTPS page (that should be allowed).



On 26/7/2011 19:26, Boris Zbarsky wrote:
> On 7/26/11 1:21 PM, Hill, Brad wrote:
>>> Again, the context here is that HTTP content is framing HTTPS content
>>> at the same host
>>> and the latter wants to use 'self' in allow-frames to allow the
>>> framing. _That_ is what I
>>> would like to understand use cases for.
>> That's not how I understood it. I think the request was that "self",
>> in the context of CSP for an HTTP resource, also implicitly include
>> HTTPS of the same origin.
> That was sort of the request, yes.
>> In the context of IFRAMEs this is about loading the framed content
>> from HTTPS; it is not about the HTTPS resource's declarations of who
>> might have permission to frame it.
> The precise quote was:
> The problem is that if you use, for instance, "frame-src 'self'" to
> ensure that your pages cannot be framed in another site,
> I hadn't realized when I read that that the part starting "to ensure"
> was just completely unrelated to the actual CSP directive used.
> I can see the argument for allowing linking to an https frame on the
> same server, I guess. It still feels like something more likely to be
> used to feel good about security than to actually be secure, but I take
> your point about incremental movement to https.
> -Boris
Received on Wednesday, 27 July 2011 10:43:28 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC