W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2016

[embedded-enforcement]

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Sat, 3 Dec 2016 19:32:38 -0000
To: <public-webappsec@w3.org>
Message-ID: <184401d24d9c$01d2e100$0578a300$@baycloud.com>
When you want to update the required CSP, editing a large site with several
iframes can be logistically difficult, some of them maybe loaded dynamically
or via tag management and difficult to keep track of. Different teams may
have local authority for some site content, but there still may be a need to
set an overall policy for the site.

 

How about a default CSP attribute for iframes, i.e. an Embedding-CSP header
is sent with a default value to any iframe that does not have a “csp”
attribute.

 

The default value would be managed by a centralised authority for the site,
so individual iframes csps would only need to be edited if they needed their
own embedded CSP.

 

The default embedded CSP could be set by the top level origin responding
with its own Embedding-CSP (response) header, which could also be delivered
in situ via an http-equiv meta tag.

 

Mike

 

 

Mike O’Neill

Director

 

Baycloud Systems

The Oxford Centre for Innovation

New Road,

Oxford,

OX1 1BY

 

Tel: +44 1865 735619

Skype: mikeoneill

 

 

 

 
Received on Saturday, 3 December 2016 19:34:03 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:21 UTC