- From: Malika Aubakirova <amalika@google.com>
- Date: Wed, 2 Nov 2016 16:15:46 +0100
- To: public-webappsec@w3.org
- Message-ID: <CALK0k2bmXTgTqxAvu73uiq1+j_HW6R64EY0AZQeEyD9y7hH3CQ@mail.gmail.com>
Hello, public-webappsec! Preliminary work for Embedded Enforcement has been done and is available under an experimental flag EmbedderCSPEnforcement <https://cs.chromium.org/chromium/src/third_party/WebKit/Source/platform/RuntimeEnabledFeatures.in?q=embedderCSPEnforcement&sq=package:chromium&l=93&dr=C>. This feature empowers embedder to enforce certain policies on its embedees. When present, iframes will only be loaded if and only if those agree to the restrictions imposed by the embedder. At this moment, an embedee can comply with the Embedding-CSP only through `Allow-CSP-From` header (more information on this header is here <https://w3c.github.io/webappsec-csp/embedded/#allow-csp-from-http-header>) and this is ready for testing. Please, note that subsumption algorithm is still under review and is not yet available. Bug that tracks the progress is this <https://bugs.chromium.org/p/chromium/issues/detail?id=647588>. Comments and suggestions will be highly appreciated! Thanks, Malika
Received on Wednesday, 2 November 2016 16:08:09 UTC