[CSP] Question about embedding iframes from Rouslan Solomakhin on 2022-09-16 (public-webappsec@w3.org from September 2022)

From: Rouslan Solomakhin <rouslan@google.com>
Date: Fri, 16 Sep 2022 09:30:27 -0400
To: Web Application Security Working Group <public-webappsec@w3.org>
Cc: Eiji Kitamura <agektmr@google.com>, Stephen McGruer <smcgruer@google.com>
Message-ID: <CAMMzaWF7ALtEqn7uBvmMCJ=j-XUg8zcYgZPCj7v0L_tNDrqNZw@mail.gmail.com>

Hello,

Could you help me understand how much control the embedding context has
over an included iframe's CSP, please?

Consider the following setup:

   - Embedding context: Content-Security-Policy: connect-src
   https://alice.com
   - https://alice.com iframe: Content-Security-Policy: connect-src
   https://bob.com

Section 3.5 Policy applicability
<https://www.w3.org/TR/CSP2/#which-policy-applies> states that for "Any
resource included via iframe":

> The policy of the embedding resource controls what may be embedded.
> The embedded resource, however, is controlled by the policy delivered
with the resource

*Question: *Does this rule allow https://alice.com to connect to
https://bob.com, even though the embedding context prohibits it?

I could not find a "Policy applicability" section in the Editors draft
<https://w3c.github.io/webappsec-csp/>. Was that removed intentionally?
Thank you.

Cheers,
Rouslan

Received on Friday, 16 September 2022 13:30:56 UTC