W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2015

CfC: CSP Embedded Enforcement to FPWD; deadline Dec. 7th.

From: Mike West <mkwst@google.com>
Date: Mon, 30 Nov 2015 11:14:35 +0100
Message-ID: <CAKXHy=d204kL0PTYbNYoiZ6gdor-=ofA7krhA5yJxDLtL9M59g@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Cc: Brad Hill <hillbrad@gmail.com>, Wendy Seltzer <wseltzer@w3.org>, Dan Veditz <dveditz@mozilla.com>
Hello, WebAppSecians!

In the ever-so-brief period of time before the US transitions completely
from tryptophan-induced sloth to peppermint-infused holiday euphoria, I'd
like to draw your attention to this call for consensus to publish the
following draft of "CSP Embedded Enforcement" as a First Public Working
Draft:

https://w3c.github.io/webappsec-csp/embedded/published/FPWD.html

This draft describes a mechanism by which an embedder can propose a CSP for
a resource embedded through an `<iframe>` element, and refuse to embed any
resource which does not agree to adhere to that policy. We discussed it
briefly at TPAC, and folks seemed generally in favor of moving forward with
the draft in this group (the minutes[1] record "general mutterings of
interest", which I suppose is positive? :) ).

I think the draft is clear enough for a FPWD, and will benefit from the
attention such a publication might draw. This CfC will end in a week, on
December 7th. Feedback, positive and otherwise, would be excellent: please
send it to public-webappsec@w3.org.

[1]: http://www.w3.org/2015/10/28-webappsec-minutes

-mike
Received on Monday, 30 November 2015 10:15:30 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:16 UTC