W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2012

RE: [websec] Coordinating Frame-Options and CSP UI Safety directives

From: Hill, Brad <bhill@paypal-inc.com>
Date: Tue, 10 Jul 2012 00:02:31 +0000
To: Tobias Gondrom <tobias.gondrom@gondrom.org>, "websec@ietf.org" <websec@ietf.org>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E17AE18@DEN-EXDDA-S12.corp.ebay.com>
Tobias,

 I'm happy to move the discussion primarily to websec, and I'll drop the cc: to webappsec after this email.  Thanks for the historical clarification, as well.

I'm not terribly concerned about which group does the work, as much as arriving at the engineering solution that works best for user agent and resource authors, some of whom have expressed preference for moving this functionality into CSP.  As both a chair and an individual, I don't have a strong preference, but I think there are reasons in favor of each option and it is worth re-opening the discussion now that the WebAppSec WG has a concrete deliverable under development to address the same general class of attacks.

I'll send out a summary shortly of the similarities and differences between the various options currently proposed for some additional context.

-Brad Hill
Received on Tuesday, 10 July 2012 00:03:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 10 July 2012 00:03:05 GMT