W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2011

Re: Publishing From-Origin Proposal as FPWD

From: Daniel Veditz <dveditz@mozilla.com>
Date: Thu, 30 Jun 2011 19:31:53 -0700
Message-ID: <4E0D3199.6070400@mozilla.com>
To: Maciej Stachowiak <mjs@apple.com>
CC: Anne van Kesteren <annevk@opera.com>, WebApps WG <public-webapps@w3.org>, "public-web-security@w3.org" <public-web-security@w3.org>
On 6/30/11 9:31 AM, Maciej Stachowiak wrote:
> 
> On Jun 30, 2011, at 7:22 AM, Anne van Kesteren wrote:
>> (Added public-web-security because of the potential for doing
>> this in CSP instead. Though that would require a slight change
>> of scope for CSP, which I'm not sure is actually desirable.)
> 
> I approve of publishing this as FWPD.
> 
> I also don't think it makes sense to tie this to CSP.

Conceptually it's similar to the CSP frame-ancestors
directive--which we've decided doesn't fit in CSP either. Most of
CSP is "can load" while frame-ancestors was "can be loaded by".
We've proposed that the frame-ancestors functionality be moved into
an expanded/standardized X-Frame-Options mechanism, but a
standardized "From-Origin" would work just as well (better?).

It may still make sense to put From-Origin in the WebSecurity
(not-quite) WG along with CORS rather than free floating in WebApps.
But I don't have strong feelings about that. Mozilla would be
interested in implementing this feature regardless.

-Dan Veditz
Received on Friday, 1 July 2011 02:32:29 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:46 GMT