- From: Mike O'Neill <michael.oneill@baycloud.com>
- Date: Mon, 15 Feb 2016 11:17:29 -0000
- To: "'WebAppSec WG'" <public-webappsec@w3.org>
- Message-ID: <052501d167e2$75b94140$612bc3c0$@baycloud.com>
I would like to comment on Embedded Enforcement and Cookie Controls. I think this is a very useful facility for privacy, especially in the light of the forthcoming law in Europe and new rules for data export, as it would let a site freely embed third-party iframes and retain control of personal data (web history) collection with a csp attribute. Would it not also be a good idea to also allow sites to apply the same controls to other embedded elements, i.e. imgs, stylesheets etc. For consistency, the same csp attribute could be added to non-script containing resource, but only the cookie-scope directive would be relevant, overriding the effect of any set-cookies header in the HTTP response. The third-party resource would still be able to control the response on detecting the Embedding-CSP header. I know it is not really the same situation as controlling an iframe’s CSP, but the effect is analogous and the same mechanism could be used, if only for simplicity. Mike Mike O'Neill Technical Director Baycloud Systems Oxford Centre for Innovation New Road Oxford OX1 1BY Tel. 01865 735619 Fax: 01865 261401 Email: <mailto:michael.oneill@baycloud.com> michael.oneill@baycloud.com <http://www.linkedin.com/pub/11/894/925> Professional Profile <http://www.linkedin.com/e/wwk/41003309/> See who we know in common <http://www.linkedin.com/e/sig/41003309/> Want a signature like this?
Attachments
- image/png attachment: image003.png
- image/png attachment: image004.png
Received on Monday, 15 February 2016 11:17:59 UTC