W3C home > Mailing lists > Public > public-web-security@w3.org > May 2012

Re: CSP frame-src scope

From: Tanvi Vyas <tanvi@mozilla.com>
Date: Tue, 01 May 2012 11:00:14 -0700
Message-ID: <4FA024AE.8090301@mozilla.com>
To: public-web-security@w3.org, marc.stern@approach.be
Hi Marc,

You may be thinking of the X-Frame-Options header: 

This header tells browsers whether or not to allow your site to be 
iframed.  There are only two options though; DENY and SAMEORIGIN.


On 5/1/12 10:27 AM, Adam Barth wrote:
> On Fri, Apr 27, 2012 at 1:04 AM, Marc Stern<marc.stern@approach.be>  wrote:
>> If I allow my page on "mysite.com" to be embedded with "frame-src
>>   othersite.com" and the container page on "othersite.com" is embedded in a
>> page from "othersite2.com", FF 12 complains that my page on "mysite.com"
>> cannot be embedded in "othersite2.com".
> This description seems somewhat backwards.  The frame-src directive
> controls what iframes your document can contain not the contexts in
> which your document can be embedded.
>> 1. Is this the intention?
>> 2. This should be documented
>> 3. What's the best behaviour?
>> If I allow embedding in "othersite.com" and "othersite.com" allows
>> embedding in "othersite2.com", shouldn't it be accepted?
> CSP currently doesn't have any mechanism for controlling where your
> document can be embedded.  It can only control the location from which
> you can load resources.
> Adam
>> It seems unrealistic to me to manage the relationship between
>> "othersite.com" and "othersite2.com".
>> On the other end, if "othersite.com" does not implement correctly CSP
>> headers, this will allow embedding of "othersite.com" in any site and put my
>> security in peril.
>> Or maybe an additional option to specify multi-level embedding behaviour
>> (ex: "frame-accept-multilevel")
>> Regards,
>> Marc
Received on Wednesday, 2 May 2012 15:07:56 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:20 UTC