- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Wed, 27 Aug 2014 22:05:56 -0700
- To: "Hill, Brad" <bhill@paypal.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
I vote for accepting only a list of host-sources and failing closed if a source-list is given. I am worried that silently discarding extra path information might give devs a false sense of security. On 27 August 2014 08:53, Hill, Brad <bhill@paypal.com> wrote: > One final last call comment if it’s not too late… > > > > The directive-value ABNF for frame-ancestors is just listed as > “source-list”. > > > > The previous ABNF when it was in the UISecurity spec, and previous > X-Frame-Options behavior, should only accept a list of host-sources, or > should discard any extra path information and use only the Origin. This is > not reflected in current spec text. > > > > -Brad
Received on Thursday, 28 August 2014 05:06:43 UTC