W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2016

Initial implementation of Content-Security-Policy: Embedded Enforcement

From: Malika Aubakirova <amalika@google.com>
Date: Wed, 2 Nov 2016 16:15:46 +0100
Message-ID: <CALK0k2bmXTgTqxAvu73uiq1+j_HW6R64EY0AZQeEyD9y7hH3CQ@mail.gmail.com>
To: public-webappsec@w3.org
Hello, public-webappsec!

Preliminary work for Embedded Enforcement has been done and is
available under an experimental flag EmbedderCSPEnforcement
<https://cs.chromium.org/chromium/src/third_party/WebKit/Source/platform/RuntimeEnabledFeatures.in?q=embedderCSPEnforcement&sq=package:chromium&l=93&dr=C>.
This feature empowers embedder to enforce certain policies on its
embedees. When present, iframes will only be loaded if and only if
those agree to the restrictions imposed by the embedder.

At this moment, an embedee can comply with the Embedding-CSP only
through `Allow-CSP-From` header (more information on this header is
here <https://w3c.github.io/webappsec-csp/embedded/#allow-csp-from-http-header>)
and this is ready for testing. Please, note that subsumption algorithm
is still under review and is not yet available.

Bug that tracks the progress is this
<https://bugs.chromium.org/p/chromium/issues/detail?id=647588>.
Comments and suggestions will be highly appreciated!

Thanks,
Malika
Received on Wednesday, 2 November 2016 16:08:09 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:21 UTC