Hello, WebAppSecians!
In the ever-so-brief period of time before the US transitions completely
from tryptophan-induced sloth to peppermint-infused holiday euphoria, I'd
like to draw your attention to this call for consensus to publish the
following draft of "CSP Embedded Enforcement" as a First Public Working
Draft:
https://w3c.github.io/webappsec-csp/embedded/published/FPWD.html
This draft describes a mechanism by which an embedder can propose a CSP for
a resource embedded through an `<iframe>` element, and refuse to embed any
resource which does not agree to adhere to that policy. We discussed it
briefly at TPAC, and folks seemed generally in favor of moving forward with
the draft in this group (the minutes[1] record "general mutterings of
interest", which I suppose is positive? :) ).
I think the draft is clear enough for a FPWD, and will benefit from the
attention such a publication might draw. This CfC will end in a week, on
December 7th. Feedback, positive and otherwise, would be excellent: please
send it to public-webappsec@w3.org.
[1]: http://www.w3.org/2015/10/28-webappsec-minutes
-mike