- From: Marc Stern <marc.stern@approach.be>
- Date: Fri, 27 Apr 2012 10:04:17 +0200
- To: public-web-security@w3.org
Hi, If I allow my page on "mysite.com" to be embedded with "frame-src othersite.com" and the container page on "othersite.com" is embedded in a page from "othersite2.com", FF 12 complains that my page on "mysite.com" cannot be embedded in "othersite2.com". 1. Is this the intention? 2. This should be documented 3. What's the best behaviour? If I allow embedding in "othersite.com" and "othersite.com" allows embedding in "othersite2.com", shouldn't it be accepted? It seems unrealistic to me to manage the relationship between "othersite.com" and "othersite2.com". On the other end, if "othersite.com" does not implement correctly CSP headers, this will allow embedding of "othersite.com" in any site and put my security in peril. Or maybe an additional option to specify multi-level embedding behaviour (ex: "frame-accept-multilevel") Regards, Marc
Received on Friday, 27 April 2012 10:32:43 UTC