W3C home > Mailing lists > Public > public-web-security@w3.org > April 2012

CSP frame-src scope

From: Marc Stern <marc.stern@approach.be>
Date: Fri, 27 Apr 2012 10:04:17 +0200
Message-ID: <4F9A5301.70500@approach.be>
To: public-web-security@w3.org
Hi,

If I allow my page on "mysite.com" to be embedded with "frame-src  
othersite.com" and the container page on "othersite.com" is embedded in 
a page from "othersite2.com", FF 12 complains that my page on 
"mysite.com" cannot be embedded in "othersite2.com".

1. Is this the intention?
2. This should be documented
3. What's the best behaviour?
If I allow embedding in "othersite.com" and "othersite.com" allows 
embedding in "othersite2.com", shouldn't it be accepted?
It seems unrealistic to me to manage the relationship between 
"othersite.com" and "othersite2.com".
On the other end, if "othersite.com" does not implement correctly CSP 
headers, this will allow embedding of "othersite.com" in any site and 
put my security in peril.
Or maybe an additional option to specify multi-level embedding behaviour 
(ex: "frame-accept-multilevel")

Regards,

Marc
Received on Friday, 27 April 2012 10:32:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 10:32:44 GMT