[Bug 10068] Suggest making noscript obsolete but conforming from bugzilla@jessica.w3.org on 2010-08-23 (public-html-bugzilla@w3.org from August 2010)

From: <bugzilla@jessica.w3.org>
Date: Mon, 23 Aug 2010 22:20:25 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1OnfNR-0007YQ-Jc@jessica.w3.org>

http://www.w3.org/Bugs/Public/show_bug.cgi?id=10068





--- Comment #45 from Benjamin Hawkes-Lewis <bhawkeslewis@googlemail.com>  2010-08-23 22:20:24 ---
(In reply to comment #44)
> > > <noscript><meta http-equiv=refresh content="0; URL=/home.php?_fb_noscript=1"
> > > /></noscript>
> > 
> > Adam, would you mind joining the dots for this one? I can see what this does,
> > but what is it for and how is "noscript" helping here?
> 
> <noscript> limits the meta refresh to only those situations when script is
> disabled.

Obviously. But what actual problem does this solve?

> > http://www.whatwg.org/specs/web-apps/current-work/multipage/semantics.html#attr-meta-http-equiv
> > 
> > But even if it were valid, how does "noscript" help here? Shouldn't
> > "X-Frame-Options" always be sent as a real HTTP header?
> >   
> > http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx
> 
> That would apply the directive unconditionally.  The problem Facebook is
> solving here is that they have a script-based clickjacking defense that seems
> to work for them, but they want to be protected even if script is disabled. 
> Consequently, they wish to apply the X-Frame-Options directive only when script
> is disabled, hence the use of <noscript>.

The Microsoft blog post I cited says: "Send the content as an HTTP Header � the
directive is ignored if specified in a META tag". *If* that's accurate (I
haven't tested), then Facebook's directive does not work. (I wouldn't be
surprised by error in either direction.)

But - assuming for the sake of discussion it *does* work - is the purpose of
attempting to limit "X-Frame-Options" to script-less scenarios to enable the
content to be iframed when JS *is* enabled? Are they trying to balance
integrations options with security concerns or what? Is the loss of robustness
acceptable with respect to end-user security, as I've suggested it might be in
the case of tracking?

> All this talk of "progressive enhancement using JavaScript" ignore the actual
> problems folks use <noscript> to solve.

I think it's a reaction to the fact that people often use "noscript" to solve
problems badly that progressive enhancement solves better. I've tried to
explain how the use of "noscript" for tracking purposes might solve that class
of problems better (albeit still with a tradeoff), but without context it's
hard to know how well your examples solve whatever problems they are trying to
solve: a usage example is not the same as a use case.

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

Received on Monday, 23 August 2010 22:20:27 UTC