I would like to comment on Embedded Enforcement and Cookie Controls.
I think this is a very useful facility for privacy, especially in the light
of the forthcoming law in Europe and new rules for data export, as it would
let a site freely embed third-party iframes and retain control of personal
data (web history) collection with a csp attribute.
Would it not also be a good idea to also allow sites to apply the same
controls to other embedded elements, i.e. imgs, stylesheets etc.
For consistency, the same csp attribute could be added to non-script
containing resource, but only the cookie-scope directive would be relevant,
overriding the effect of any set-cookies header in the HTTP response. The
third-party resource would still be able to control the response on
detecting the Embedding-CSP header.
I know it is not really the same situation as controlling an iframe’s CSP,
but the effect is analogous and the same mechanism could be used, if only
for simplicity.
Mike
Mike O'Neill
Technical Director
Baycloud Systems
Oxford Centre for Innovation
New Road
Oxford
OX1 1BY
Tel. 01865 735619
Fax: 01865 261401
Email: <mailto:michael.oneill@baycloud.com> michael.oneill@baycloud.com
<http://www.linkedin.com/pub/11/894/925> Professional Profile
<http://www.linkedin.com/e/wwk/41003309/> See who we know in common
<http://www.linkedin.com/e/sig/41003309/> Want a signature like this?
