W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2016


From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Sat, 3 Dec 2016 19:32:38 -0000
To: <public-webappsec@w3.org>
Message-ID: <184401d24d9c$01d2e100$0578a300$@baycloud.com>
When you want to update the required CSP, editing a large site with several
iframes can be logistically difficult, some of them maybe loaded dynamically
or via tag management and difficult to keep track of. Different teams may
have local authority for some site content, but there still may be a need to
set an overall policy for the site.


How about a default CSP attribute for iframes, i.e. an Embedding-CSP header
is sent with a default value to any iframe that does not have a “csp”


The default value would be managed by a centralised authority for the site,
so individual iframes csps would only need to be edited if they needed their
own embedded CSP.


The default embedded CSP could be set by the top level origin responding
with its own Embedding-CSP (response) header, which could also be delivered
in situ via an http-equiv meta tag.





Mike O’Neill



Baycloud Systems

The Oxford Centre for Innovation

New Road,




Tel: +44 1865 735619

Skype: mikeoneill




Received on Saturday, 3 December 2016 19:34:03 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:59 UTC