Remove same-origin blanket enforcement from CSP Embedded Enforcement #251
Labels
blocked
Coming to a position is blocked on issues identified with the spec or proposal.
from: Google
Proposed, edited, or co-edited by Google.
topic: security
venue: W3C Web Application Security WG
Proposal is being reviewed in the W3C's Web Application Security WG (aka WebAppSec)
Comments
|
I can't find any history of WebKit having taken a position on CSPEE. Assuming we haven't, this would be blocked on taking a position on CSPEE. I see that Mozilla took a position of non-harmful on that: mozilla/standards-positions#326. |
annevk
added
topic: security
venue: W3C Web Application Security WG
annevk
added
the
blocked
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
WebKittens
No response
Title of the spec
Remove same-origin blanket enforcement in CSP Embedded Enforcement
URL to the spec
https://github.com/w3c/webappsec-cspee/pull/28/files
URL to the spec's repository
https://github.com/w3c/webappsec-cspee/
Issue Tracker URL
No response
Explainer URL
w3c/webappsec-cspee#28
TAG Design Review URL
No response
Mozilla standards-positions issue URL
mozilla/standards-positions#878
WebKit Bugzilla URL
No response
Radar URL
No response
Description
CPS Embedded Enforcement's blanket enforcement logic specific to same-origin iframes exposes a new way to block certain resources from loading in the iframe. This allowed attacks which are not possible before (example).
Given this part of blanket enforcement is rarely used (~0.000015% in Chrome), Chromium is planning to remove the specific logic in the CSP Embedded Enforcement. Therefore, we'd like to get Webkit's position on this.
The text was updated successfully, but these errors were encountered: