W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2013

Re: webappsec-ISSUE-45 ('top-only'): Is 'top-only' worth preserving? [UI Security]

From: Tobias Gondrom <tobias.gondrom@gondrom.org>
Date: Tue, 12 Mar 2013 22:05:46 +0800
Message-ID: <513F363A.9060805@gondrom.org>
To: annevk@annevk.nl
CC: imelven@mozilla.com, public-webappsec@w3.org
On 12/03/13 21:58, Anne van Kesteren wrote:
> On Mon, Mar 11, 2013 at 5:31 PM, Ian Melven <imelven@mozilla.com> wrote:
>> yes, this is the argument i have made in our bug on changing XFO.
>>
>> I also filed another Mozilla bug for implementing frame-options in CSP :
>> https://bugzilla.mozilla.org/show_bug.cgi?id=846978
>>
>> comments/feedback in either of those bugs are very welcome ! :)
> If CSP supplants XFO it should document XFO and their mutual
> interaction (and not just as a consideration, but just give the rules
> implementations should follow).
>
>
The plan is to have CSP as the sucessor for XFO.
We currently document the "old" existing XFO practice as informational
in websec
http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02

But improvements going forward in the future are planned to be put into
CSP 1.1.

With this approach, I believe it should be sufficient if we just
reference XFO from CSP1.1 after the XFO RFC has been released.

Best regards, Tobias
Received on Tuesday, 12 March 2013 14:06:27 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:00 UTC