- From: Mike O'Neill <michael.oneill@baycloud.com>
- Date: Sat, 3 Dec 2016 19:32:38 -0000
- To: <public-webappsec@w3.org>
- Message-ID: <184401d24d9c$01d2e100$0578a300$@baycloud.com>
When you want to update the required CSP, editing a large site with several iframes can be logistically difficult, some of them maybe loaded dynamically or via tag management and difficult to keep track of. Different teams may have local authority for some site content, but there still may be a need to set an overall policy for the site. How about a default CSP attribute for iframes, i.e. an Embedding-CSP header is sent with a default value to any iframe that does not have a “csp” attribute. The default value would be managed by a centralised authority for the site, so individual iframes csps would only need to be edited if they needed their own embedded CSP. The default embedded CSP could be set by the top level origin responding with its own Embedding-CSP (response) header, which could also be delivered in situ via an http-equiv meta tag. Mike Mike O’Neill Director Baycloud Systems The Oxford Centre for Innovation New Road, Oxford, OX1 1BY Tel: +44 1865 735619 Skype: mikeoneill
Received on Saturday, 3 December 2016 19:34:03 UTC