- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Tue, 26 Jul 2011 13:07:15 -0400
- To: "Hill, Brad" <bhill@paypal-inc.com>
- CC: "public-web-security@w3.org" <public-web-security@w3.org>
On 7/26/11 12:58 PM, Hill, Brad wrote: > The threat is that the secure content will be spoofed, but there are plenty of common use cases for this, where the content of the HTTPS iframe has a very low risk of spoofing. For example, a personalized "Like", "+1", or "Pay" button. OK, I'm with you so far. > These buttons likely originate at an HTTPS only site, but are commonly embedded in HTTP content. In this situation, using the 'self' CSP directive in the button would make it not embeddable even if the content were HTTPS, since presumably the content is on a different server. Again, the context here is that HTTP content is framing HTTPS content at the same host and the latter wants to use 'self' in allow-frames to allow the framing. _That_ is what I would like to understand use cases for. -Boris
Received on Tuesday, 26 July 2011 17:07:43 UTC