- From: Tanvi Vyas <tanvi@mozilla.com>
- Date: Tue, 01 May 2012 11:00:14 -0700
- To: public-web-security@w3.org, marc.stern@approach.be
Hi Marc, You may be thinking of the X-Frame-Options header: https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header This header tells browsers whether or not to allow your site to be iframed. There are only two options though; DENY and SAMEORIGIN. ~Tanvi On 5/1/12 10:27 AM, Adam Barth wrote: > On Fri, Apr 27, 2012 at 1:04 AM, Marc Stern<marc.stern@approach.be> wrote: >> If I allow my page on "mysite.com" to be embedded with "frame-src >> othersite.com" and the container page on "othersite.com" is embedded in a >> page from "othersite2.com", FF 12 complains that my page on "mysite.com" >> cannot be embedded in "othersite2.com". > This description seems somewhat backwards. The frame-src directive > controls what iframes your document can contain not the contexts in > which your document can be embedded. > >> 1. Is this the intention? >> 2. This should be documented >> 3. What's the best behaviour? >> If I allow embedding in "othersite.com" and "othersite.com" allows >> embedding in "othersite2.com", shouldn't it be accepted? > CSP currently doesn't have any mechanism for controlling where your > document can be embedded. It can only control the location from which > you can load resources. > > Adam > > >> It seems unrealistic to me to manage the relationship between >> "othersite.com" and "othersite2.com". >> On the other end, if "othersite.com" does not implement correctly CSP >> headers, this will allow embedding of "othersite.com" in any site and put my >> security in peril. >> Or maybe an additional option to specify multi-level embedding behaviour >> (ex: "frame-accept-multilevel") >> >> Regards, >> >> Marc >> >> >>
Received on Wednesday, 2 May 2012 15:07:56 UTC