W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2016

Re: CSP: Embedded Enforcement

From: Daniel Veditz <dveditz@mozilla.com>
Date: Fri, 9 Sep 2016 14:39:35 -0700
Message-ID: <CADYDTCDqAcrhMY8egnof7U0ZokTwPQ-FRP2icXOhdFe-8uwOYw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
If I'm reading the spec correctly (ยง3.3) this does not recurse into nested
iframes. I haven't been able to decide whether recursing leads to terrible
things or if it's necessary to preserve protection, especially in the
same-origin case. I think recursing is arguably OK because middle frames
could have applied the same restrictions on their own and in theory know
this will be applied because of the Embedding-CSP header they got (and
agreed to by reflecting).

That does complicate the requirement that there be only one Embedding-CSP
policy, because a middle frame could apply their own csp attribute to an
embedded iframe. If both aren't passed along then we can run into potential
attacks depending on which one gets suppressed.

-Dan Veditz
Received on Friday, 9 September 2016 21:40:06 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:57 UTC