annevk
commented
1 year ago I can't find any history of WebKit having taken a position on CSPEE. Assuming we haven't, this would be blocked on taking a position on CSPEE. I see that Mozilla took a position of non-harmful on that: https://github.com/mozilla/standards-positions/issues/326.
WebKittens
No response
Title of the spec
Remove same-origin blanket enforcement in CSP Embedded Enforcement
URL to the spec
https://github.com/w3c/webappsec-cspee/pull/28/files
URL to the spec's repository
https://github.com/w3c/webappsec-cspee/
Issue Tracker URL
No response
Explainer URL
https://github.com/w3c/webappsec-cspee/pull/28
TAG Design Review URL
No response
Mozilla standards-positions issue URL
https://github.com/mozilla/standards-positions/issues/878
WebKit Bugzilla URL
No response
Radar URL
No response
Description
CPS Embedded Enforcement's blanket enforcement logic specific to same-origin iframes exposes a new way to block certain resources from loading in the iframe. This allowed attacks which are not possible before (example).
Given this part of blanket enforcement is rarely used (~0.000015% in Chrome), Chromium is planning to remove the specific logic in the CSP Embedded Enforcement. Therefore, we'd like to get Webkit's position on this.