Hello, WebAppSecians! In the ever-so-brief period of time before the US transitions completely from tryptophan-induced sloth to peppermint-infused holiday euphoria, I'd like to draw your attention to this call for consensus to publish the following draft of "CSP Embedded Enforcement" as a First Public Working Draft: https://w3c.github.io/webappsec-csp/embedded/published/FPWD.html This draft describes a mechanism by which an embedder can propose a CSP for a resource embedded through an `<iframe>` element, and refuse to embed any resource which does not agree to adhere to that policy. We discussed it briefly at TPAC, and folks seemed generally in favor of moving forward with the draft in this group (the minutes[1] record "general mutterings of interest", which I suppose is positive? :) ). I think the draft is clear enough for a FPWD, and will benefit from the attention such a publication might draw. This CfC will end in a week, on December 7th. Feedback, positive and otherwise, would be excellent: please send it to public-webappsec@w3.org. [1]: http://www.w3.org/2015/10/28-webappsec-minutes -mike
Received on Monday, 30 November 2015 10:15:30 UTC