CSP frame-src scope

Hi,

If I allow my page on "mysite.com" to be embedded with "frame-src  
othersite.com" and the container page on "othersite.com" is embedded in 
a page from "othersite2.com", FF 12 complains that my page on 
"mysite.com" cannot be embedded in "othersite2.com".

1. Is this the intention?
2. This should be documented
3. What's the best behaviour?
If I allow embedding in "othersite.com" and "othersite.com" allows 
embedding in "othersite2.com", shouldn't it be accepted?
It seems unrealistic to me to manage the relationship between 
"othersite.com" and "othersite2.com".
On the other end, if "othersite.com" does not implement correctly CSP 
headers, this will allow embedding of "othersite.com" in any site and 
put my security in peril.
Or maybe an additional option to specify multi-level embedding behaviour 
(ex: "frame-accept-multilevel")

Regards,

Marc

Received on Friday, 27 April 2012 10:32:43 UTC