W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2016

Embedded Enforcement and Cookie Controls

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Mon, 15 Feb 2016 11:17:29 -0000
To: "'WebAppSec WG'" <public-webappsec@w3.org>
Message-ID: <052501d167e2$75b94140$612bc3c0$@baycloud.com>
I would like to comment on Embedded Enforcement and Cookie Controls. 


I think this is a very useful facility for privacy, especially in the light
of the forthcoming law in Europe and new rules for data export, as it would
let a site freely embed third-party iframes and retain control of personal
data  (web history) collection with a csp attribute.


Would it not also be a good idea to also allow sites to apply the same
controls to other embedded elements, i.e. imgs, stylesheets etc.


For consistency, the same csp attribute could be added to non-script
containing resource, but only the cookie-scope directive  would be relevant,
overriding the effect of any set-cookies header in the HTTP response. The
third-party resource would still be able to control the response on
detecting the Embedding-CSP header.


I know it is not really the same situation as controlling an iframe’s CSP,
but the effect is analogous and the same mechanism could be used, if only
for simplicity.




Mike O'Neill

Technical Director

Baycloud Systems

Oxford Centre for Innovation 

New Road



Tel. 01865 735619

Fax: 01865 261401

Email:  <mailto:michael.oneill@baycloud.com> michael.oneill@baycloud.com
 <http://www.linkedin.com/pub/11/894/925> Professional Profile


 <http://www.linkedin.com/e/wwk/41003309/> See who we know in common

 <http://www.linkedin.com/e/sig/41003309/> Want a signature like this?



(image/png attachment: image003.png)

(image/png attachment: image004.png)

Received on Monday, 15 February 2016 11:17:59 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:54 UTC