Re: CSP frame-src scope from Tanvi Vyas on 2012-05-01 (public-web-security@w3.org from May 2012)

From: Tanvi Vyas <tanvi@mozilla.com>
Date: Tue, 01 May 2012 14:14:06 -0700
To: public-web-security@w3.org, marc.stern@approach.be
Message-ID: <4FA0521E.1010101@mozilla.com>

Or, you may be thinking of the "frame-ancestors" directive: 
https://developer.mozilla.org/en/Security/CSP/CSP_policy_directives#frame-ancestors

This directive was dropped from the CSP 1.0 spec (I believe because 
X-Frame-Options was already in use).  It is still implemented in the 
firefox codebase [1].  If the browser see's both the X-Frame-Options 
header and the frame-ancestors directive, it will enforce the strictest 
subset of the two policies.

For frame-ancestors, if any of the ancestors are not in the allowed 
list, the document won't render.  For X-Frame-Options, it doesn't look 
like all ancestors are checked unless "AllAncestors" flag is included: 
http://tools.ietf.org/html/draft-gondrom-frame-options-02.

~Tanvi

[1] 
http://mxr.mozilla.org/mozilla-central/source/content/base/src/CSPUtils.jsm#189

On 5/1/12 11:00 AM, Tanvi Vyas wrote:
> Hi Marc,
>
> You may be thinking of the X-Frame-Options header: 
> https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
>
> This header tells browsers whether or not to allow your site to be 
> iframed.  There are only two options though; DENY and SAMEORIGIN.
>
> ~Tanvi
>
> On 5/1/12 10:27 AM, Adam Barth wrote:
>> On Fri, Apr 27, 2012 at 1:04 AM, Marc Stern<marc.stern@approach.be>  
>> wrote:
>>> If I allow my page on "mysite.com" to be embedded with "frame-src
>>>   othersite.com" and the container page on "othersite.com" is 
>>> embedded in a
>>> page from "othersite2.com", FF 12 complains that my page on 
>>> "mysite.com"
>>> cannot be embedded in "othersite2.com".
>> This description seems somewhat backwards.  The frame-src directive
>> controls what iframes your document can contain not the contexts in
>> which your document can be embedded.
>>
>>> 1. Is this the intention?
>>> 2. This should be documented
>>> 3. What's the best behaviour?
>>> If I allow embedding in "othersite.com" and "othersite.com" allows
>>> embedding in "othersite2.com", shouldn't it be accepted?
>> CSP currently doesn't have any mechanism for controlling where your
>> document can be embedded.  It can only control the location from which
>> you can load resources.
>>
>> Adam
>>
>>
>>> It seems unrealistic to me to manage the relationship between
>>> "othersite.com" and "othersite2.com".
>>> On the other end, if "othersite.com" does not implement correctly CSP
>>> headers, this will allow embedding of "othersite.com" in any site 
>>> and put my
>>> security in peril.
>>> Or maybe an additional option to specify multi-level embedding 
>>> behaviour
>>> (ex: "frame-accept-multilevel")
>>>
>>> Regards,
>>>
>>> Marc
>>>
>>>
>>>
>

Received on Wednesday, 2 May 2012 15:07:56 UTC