W3C home > Mailing lists > Public > public-web-security@w3.org > April 2012

CSP frame-src scope

From: Marc Stern <marc.stern@approach.be>
Date: Fri, 27 Apr 2012 10:04:17 +0200
Message-ID: <4F9A5301.70500@approach.be>
To: public-web-security@w3.org

If I allow my page on "mysite.com" to be embedded with "frame-src  
othersite.com" and the container page on "othersite.com" is embedded in 
a page from "othersite2.com", FF 12 complains that my page on 
"mysite.com" cannot be embedded in "othersite2.com".

1. Is this the intention?
2. This should be documented
3. What's the best behaviour?
If I allow embedding in "othersite.com" and "othersite.com" allows 
embedding in "othersite2.com", shouldn't it be accepted?
It seems unrealistic to me to manage the relationship between 
"othersite.com" and "othersite2.com".
On the other end, if "othersite.com" does not implement correctly CSP 
headers, this will allow embedding of "othersite.com" in any site and 
put my security in peril.
Or maybe an additional option to specify multi-level embedding behaviour 
(ex: "frame-accept-multilevel")


Received on Friday, 27 April 2012 10:32:43 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:28 UTC