W3C home > Mailing lists > Public > public-web-security@w3.org > May 2012

Re: CSP frame-src scope

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 1 May 2012 10:27:48 -0700
Message-ID: <CAJE5ia8=rbkN=2pLsZGVEhv1BbzbcZ78QPJjxoQe0bWoBV5Qxw@mail.gmail.com>
To: marc.stern@approach.be
Cc: public-web-security@w3.org
On Fri, Apr 27, 2012 at 1:04 AM, Marc Stern <marc.stern@approach.be> wrote:
> If I allow my page on "mysite.com" to be embedded with "frame-src
>  othersite.com" and the container page on "othersite.com" is embedded in a
> page from "othersite2.com", FF 12 complains that my page on "mysite.com"
> cannot be embedded in "othersite2.com".

This description seems somewhat backwards.  The frame-src directive
controls what iframes your document can contain not the contexts in
which your document can be embedded.

> 1. Is this the intention?
> 2. This should be documented
> 3. What's the best behaviour?
> If I allow embedding in "othersite.com" and "othersite.com" allows
> embedding in "othersite2.com", shouldn't it be accepted?

CSP currently doesn't have any mechanism for controlling where your
document can be embedded.  It can only control the location from which
you can load resources.

Adam


> It seems unrealistic to me to manage the relationship between
> "othersite.com" and "othersite2.com".
> On the other end, if "othersite.com" does not implement correctly CSP
> headers, this will allow embedding of "othersite.com" in any site and put my
> security in peril.
> Or maybe an additional option to specify multi-level embedding behaviour
> (ex: "frame-accept-multilevel")
>
> Regards,
>
> Marc
>
>
>
Received on Tuesday, 1 May 2012 17:28:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 1 May 2012 17:28:55 GMT