- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Fri, 9 Sep 2016 14:39:35 -0700
- To: Mike West <mkwst@google.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Friday, 9 September 2016 21:40:06 UTC
If I'm reading the spec correctly (ยง3.3) this does not recurse into nested iframes. I haven't been able to decide whether recursing leads to terrible things or if it's necessary to preserve protection, especially in the same-origin case. I think recursing is arguably OK because middle frames could have applied the same restrictions on their own and in theory know this will be applied because of the Embedding-CSP header they got (and agreed to by reflecting). That does complicate the requirement that there be only one Embedding-CSP policy, because a middle frame could apply their own csp attribute to an embedded iframe. If both aren't passed along then we can run into potential attacks depending on which one gets suppressed. -Dan Veditz
Received on Friday, 9 September 2016 21:40:06 UTC